I’m doing some gpo clean up and have identified gpo’s that are disabled and/or not linked but I also want to go through and find ones that don’t have any security filtering
What I have so far is:
get-gpo -all | Get-GPPermission -all | where permission -notmatch “gpoapply”
But what I don’t know how to do is search based on NOT having gpoapply and also return the name of the GPO. I’m not locked down to this method of searching if someone has a better way.
Thoughts? Thanks!
Well I did this
Get-GPO -All |
%{
If ( $_ | Get-Gppermissions -all | where permission -NotMatch "gpoapply" )
{
Write-Host $_.DisplayName
}
}
and was able to get the display names, but that identified the flaw in my logic. Every gpo will have entries that don’t match gpoapply!
Back to the drawing board…
I’ve had the fun of working with GPOs recently as well and thought I would check to see if I could take a stab at it. Try the below
Get-GPO -All | ForEach-Object{
if ((Get-GPPermission -Guid $_.id -All).permission -notcontains "GpoApply")
{
Write-Output $_
}
}
I’m returning the whole object there - You can of course modify this down to suite your needs (example: write-output $_.displayname) but I have learned after being bit multiple times that when I filter output too early I almost always end up needing more of the object later on.
That worked, thank you!