evotecit / gpozaurr Goto Github PK
View Code? Open in Web Editor NEWGroup Policy Eater is a PowerShell module that aims to gather information about Group Policies but also allows fixing issues that you may find in them.
Group Policy Eater is a PowerShell module that aims to gather information about Group Policies but also allows fixing issues that you may find in them.
under the "Warnings & Error Section" can the errors adjust to be more user friendly? Unclear why these are problems. Looked up a good chunk of user/group SID's found and could locate them.
.EXAMPLE
.COMMENT USED
Cannot convert value "S-1-5-18" to type "System.Guid". Error: "Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)."
.SUGGESTION
.REFERENCE
According to: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows
"S-1-5-18" = Name: Local System | Description: A service account that is used by the operating system.
.ALTERNATIVE ERROR COMMENT
Contains value of a 'Local System Account'
.EXAMPLE
.COMMENT USED
Cannot convert value "S-1-5-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX" to type "System.Guid". Error: "Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)."
.ALTERNATE POST-PROCESSING
### I'm sure you can make this more elegant
$sids = @("S-1-5-21-0123456789-0123456789-0123456789-1108")
$UserGroupPattern = [Regex]::new('/^S-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-\d[1-6]/')
Foreach ($sid in $sids){
If ($UserGroupPattern.Matches($sid)){
Get-ADObject –IncludeDeletedObjects -Filter "objectSid -eq '$sid'" | Select-Object name, objectClass
} else {
"not a User or Group SID"
}
}
.ALTERNATE ERROR COMMENT
SID is a user or group
and TargetName is empty, so while the errors are undoubtedly accurate, they don't specify to which GPO they are referring, or why they are errors exactly.
I read an article from Sending GPOs Down the Wrong Track–Redirecting the GPT about redirected group Policy template paths with. Is it possible to check for that in gpozaurr?
I love the gpozaurr module. Thank you for your hard work and compassion.
Hi! We have the problem that GPOZaurr is reporting GPOs as empty that have been created using a 3rd party MMC extension. In our case, the affected GPOs contain Citrix policies.
Hello EvotecIT,
first of all, great work with this module.
I have tried running this in my environment and get the following error, please advise how do I resolve this?
Netlogon Owners
Get-WinADObject : Cannot bind argument to parameter 'Identity' because it is null.
At C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\0.0.114\GPOZaurr.psm1:15648 char:64
~~~~~~~~~~
Get-WinADObject : Cannot bind argument to parameter 'Identity' because it is null.
At C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\0.0.114\GPOZaurr.psm1:15648 char:64
~~~~~~~~~~
Get-WinADObject : Cannot bind argument to parameter 'Identity' because it is null.
At C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\0.0.114\GPOZaurr.psm1:15648 char:64
~~~~~~~~~~
[i][Start] NetLogon Permissions
Get-WinADObject : Cannot bind argument to parameter 'Identity' because it is null.
At C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\0.0.114\GPOZaurr.psm1:15648 char:64
~~~~~~~~~~
The OU scan appears to only see Users, Computers and Groups when giving the recommendation to delete an "empty" OU. Manually going through the list I noticed a couple of our recommended OUs to delete were well populated with printer objects.
Hi there! Unfortunately, the new -SplitReports parameter is always splitting reports for me. I have tried forcing a reload of the module and using "-SplitReports $false", but no joy.
I think the function "Reset-GPOZaurrStatus" may be setting this to $true somehow.
Hello,
Thanks for your job.
I have install your module
But the module not running
PS C:\Users\administrateur> Import-Module GPOZaurr
PS C:\Users\administrateur> Get-Module
ModuleType Version Name ExportedCommands
Binary 1.0.0.0 CimCmdlets {Export-BinaryMiLog, Get-CimAssociatedInstance, Get-CimClass, Get-CimInstance...}
Script 0.0.114 GPOZaurr {Get-GPOZaurrBrokenLink, Get-GPOZaurrPermissionAnalysis, Get-GPOZaurrPermissionIssue, Invoke-GPOZaurrContent...}
Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...}
Manifest 3.0.0.0 Microsoft.PowerShell.Security {ConvertFrom-SecureString, ConvertTo-SecureString, Get-Acl, Get-AuthenticodeSignature...}
Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Script 2.0.0 PSReadline {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PSReadLineKeyHandler, Set-PSReadLineKeyHandler...}
Script 0.0.131 PSWriteHTML {Add-HTML, Add-HTMLScript, Add-HTMLStyle, ConvertTo-CascadingStyleSheets...}
PS C:\Users\administrateur> Invoke-GPOZaurr
Invoke-GPOZaurr : Le terme « Invoke-GPOZaurr » n'est pas reconnu comme nom d'applet de commande, fonction, fichier de script ou programme exécutable. Vérifiez l'orthographe du nom, ou si un chemin d'accès existe, vérifiez que le chemin d'accès est correct et réessayez.
Au caractère Ligne:1 : 1
+ CategoryInfo : ObjectNotFound: (Invoke-GPOZaurr:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrateur>
Help please
The command used to not split the reports when run alone. Do I need to add a new parameter to the command to get the full report in one html?
Hello,
First of all I would like to say thank you for all your hard work.
It seems that there's an issue with the latest release when trying to run the below:
Invoke-GPOZaurr -Domain myLab.local -FilePath .\report.html
PS C:> $Error[-2] | Format-List * -Force
PSMessageDetails :
Exception : Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException: Directory object not found
---> System.ServiceModel.FaultException: The failed operation was attempted on a non-existent
directory object.
--- End of inner exception stack trace ---
at
Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForExtendedError(String
extendedErrorMessage, Exception innerException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String
message, String errorCode, String extendedErrorMessage, Exception innerException)
at
Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetail(FaultDetail
faultDetail, FaultException faultException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault adwsFault,
FaultException faultException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.Search(ADSearchRequest request)
at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Ma
nagement.IADSyncOperations.Search(ADSessionHandle handle, ADSearchRequest request)
at Microsoft.ActiveDirectory.Management.ADObjectSearcher.PagedSearch(Object& pageCookie,
Boolean& hasSizeLimitExceeded, Int32 pageSize, Int32 sizeLimit)
at Microsoft.ActiveDirectory.Management.ADObjectSearchResultEnumerator.System.Collections.IE
numerator.MoveNext()
at Microsoft.ActiveDirectory.Management.Commands.ADFactory1.<GetExtendedObjectFromFilter>d_ _33.MoveNext() at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase
3.OutputSearchResults(IADOP
athNode filter)
at
Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase3.ADGetCmdletBaseBeginCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase
1.BeginProcessing()
TargetObject :
CategoryInfo : ObjectNotFound: (:) [Get-ADObject], ADIdentityNotFoundException
FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsof
t.ActiveDirectory.Management.Commands.GetADObject
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at Get-WinADDuplicateObject, C:\Program
Files\WindowsPowerShell\Modules\GPOZaurr\1.1.0\GPOZaurr.psm1: line 2584
at Get-GPOZaurrDuplicateObject, C:\Program
Files\WindowsPowerShell\Modules\GPOZaurr\1.1.0\GPOZaurr.psm1: line 21390
at , C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\1.1.0\GPOZaurr.psm1:
line 14612
at Invoke-GPOZaurr, C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\1.1.0\GPOZaurr.psm1:
line 24436
at , : line 1
PipelineIterationInfo : {}
Use GPOAnalysis to find folders/shares (for mapping/running scripts) where Everyone has full control or similar.
Request to either add Windows Settings -> Folder Redirection details (including source and target) to the Folder Redirection tab in the GPOAudit report, or either have a separate tab or separate report for this.
It would be beneficial to have a quick look at all folder redirection targets to spot problems (e.g. invalid servers or paths, servers referenced only via NETBIOS vs FQDN, etc.)
Currently a list of GPOs that have this setting set can be generated from the GPOReport report by filtering on the 'UserPolicies' column for 'Folder Redirection'. However, from there, one has to touch each GPO to find out the redirection target information. This can be tedious if there are many GPOs with folder redirection settings enabled.
Requesting a section be added for the finding GPOs that are adjusting Windows Time/NTP Settings.
These settings are located at: Computer Configuration/Administrative Templates/System/Windows Time Service
Specifically the most important settings are "Configure Windows NTP Client" and the option NTPServer within that.
Cannot convert value "4294967295" to type "System.Int32". Error: "Value was either too large or too small for an Int32."
GPOZarr.psm1:4034 char 17
+FullyQualifiedErrorId : InvalidCastFromStringToInteger
and had another on value "4294967295"
I recently ran a GPOAnalysis against our domain, and the Folder Redirect tab only pulled 2 of our GPOs that have folder redirects configured. We have more GPOs than this that do have this setting, of which I'm trying to get a proper count. But a quick spot-check showed that at least one that is present in the forest that wasn't captured in the report.
I noticed this exists in the GPOConsistency report output, but I think it would make sense to also have it in the GPOList output as well.
Hello
I am trying to do a GPO audit on my domain, and your tool is very great.
I would love to have a csv / xls file with all the gpo and thei settings.
It would permit me to rationalise the GPOs in number, and regroup most of GPO.
I see the table as folowing.
GPO 1 | GPO 2 | GPO 3 | … | |
---|---|---|---|---|
Parameter 1 | Enabled | Enabled | ||
Parameter 2 | whatever | |||
Parameter 3 | False | true | ||
Parameter 4 | ||||
Parameter 5 | HLM/Soft / .. | HKCU/… | ||
Parameter 6 | Enabled | |||
Parameter 7 | Disabled | |||
Parameter 8 | Disabled | |||
… |
Thanks a lot for your great job.
the result is, that Get-Command
doesn-t show module commands until after importing module. And module autoload doesn't work.
Hello,
When i launch this command : Remove-GPOZaurrBroken -Type AD -LimitProcessing 2 -Verbose
I have this warm :
AVERTISSEMENT : Remove-GPOZaurrBroken - DistinguishedName CN={AE7CC155-CA5C-4963-B920-4565F4802F22},CN=Policies,CN=System,DC=domain,DC=local not found or ObjectClass is not groupPolicyContainer/C
ontainer ()
The GPO "Not available on SYSVOL" is still here
Do you have English based domain? No its French
What forest version? 2016
What domain version? 2016
What Windows Server? 2019
What workstation you're running it from? directly on DC
Hello,
When I user Invoke-GPOzaurr, there are portions of the report that come up blank: Group Policy Links, Group Policy Root Permissions, Group Policy Content, and Group Policy Passwords. Additionally, when I look at the Group Policy Summary report, it says the vast majority of my policies are unlinked, even though they are linked. The other reports appear to run correctly
With the Group policy Owner portion, I get this Warning for each GPO:
WARNING: Set-ADACLOwner - Drive CN{31B2F340-016D-11D2-945F-00C04FB984F9}CNPoliciesCNSystemDCSARASOTA not mapped. Terminating...
Group policy summary yields:
WARNING: Get-PrivGPOZaurrLink - Couldn't find link cn={84187EC3-FB32-458E-9800-0A577F6AADEF},cn=policies,cn=system.SARASOTA84187EC3-FB32-458E-9800-0A577F6AADEF in a GPO Cache. Lack of permissions for given GPO? Are you running as admin? Skipping.
Group Policy links yields the same warning as GPO Summary
Get-GPOReport Yeilds:
At C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\0.0.126\GPOZaurr.psm1:17964 char:32
+ ... GPOOutput = Get-GPOReport -Guid $GPO.GUID -Domain $GPO.DomainName -Re ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-GPOReport], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.GroupPolicy.Commands.GetGpoReportC
Ommand```
I am running as a domain admin, and that group appears to have the correct permissions for these GPOs. Am I missing something?
When running both the full report and the specific "Invoke-GPOZaurr -Type GPOConsistency" commands, the return errors out w/ the following error:
[i][Start] GPO Permissions Consistency
VERBOSE: Get-GPOZaurrPermissionConsistency - Starting process for domainname.local
VERBOSE: Get-GPOZaurrPermissionConsistency - Processing domainname.local WinAll-SChannel
WARNING: Get-GPOZaurrPermissionConsistency - Processing GPO-Name / domainname.local failed to get consistency with error: Method invocation failed because [Deserialized.Microsoft.GroupPolicy.Gpo] does not contain a method named 'IsAclConsistent'..
This has been tested and confirmed only in Powershell 7.
This occurs whether the module is imported or imported w/ "-SkipEditionCheck" switch.
If the module is imported w/o "-SkipEditionCheck" I receive the following (possibly unrelated) warnings:
WARNING: Module GroupPolicy is loaded in Windows PowerShell using WinPSCompatSession remoting session; please note that all input and output of commands from this module will be deserialized objects. If you want to load this module into PowerShell please use 'Import-Module -SkipEditionCheck' syntax.
WARNING: Module ActiveDirectory is loaded in Windows PowerShell using WinPSCompatSession remoting session; please note that all input and output of commands from this module will be deserialized objects. If you want to load this module into PowerShell please use 'Import-Module -SkipEditionCheck' syntax.
`Select-Object : The property cannot be processed because the property "PowerPoint" already exists.
At C:\Program Files\WindowsPowerShell\Modules\PSWriteHTML\0.0.148\PSWriteHTML.psm1:16159 char:47
... $DataTable = $DataTable | Select-Object -Property $Properties
CategoryInfo : InvalidOperation: (@{DisplayName=*...ProxyOverride=}:PSObject) [Select-Object], PSArgumentException
FullyQualifiedErrorId : AlreadyExistingUserSpecifiedPropertyNoExpand,Microsoft.PowerShell.Commands.SelectObjectCommand`
This one is coming from PSWriteHTML, GPOZAirr.psm1 generates the same errors on repeated properties. GPOZaurr.psm1 line 18074 I think. That foreach is problematic unless without a validation that the property doesn't already exist in the new hashtable. If I find a fix I'll drop a note.
Awesome module btw, thanks for the hard work!
Would you be able to provide some examples on/if we can target an Organization Unit with Invoke-GPOZAurr?
I could not find the right syntax and the Organization Unit DOC does not seem complete.
When you redirect the default container for new computers to the domain to an OU (which can have GPO assigned to it) using the REDIRCMP command, you may have a perfectly useful OU with GPOs attached to it, but may be empty. Many organizations might find it helpful to have a staging OU that all computers are joined to initially, so group policy is applied, and then they are moved to another OU, either automatically or manually.
We do this and in the "Group Policy Organizational Units" tab/report, this OU shows up because it is empty but has GPOs applied to it.
I would recommend checking the value of Get-ADDomain | Select ComputersContainer
and ignoring this OU (if it is an OU), if there are GPOs assigned but no computers. Right now, the suggestion is that I should unlink GPOs and delete the OU because there are no computers within, but in my case that is definitely not what I want to do.
Edit: Additionally, I am now noticing that in the "Group Policy Summary" tab, it is telling me that there are GPOs that are unlinked, which are in fact linked to the empty staging/default OU. I'd recommend flagging those GPOs links as active links due to linking to the default computer container/OU.
After updating to the latest version (from .158 I think?), the script is stuck (currently 4 hours) on "Generating HTML report "
In the powershell event log there is this
Pipeline execution details for command line: $Value = ConvertTo-StringByType -Value $Object[$a].$Property -DateTimeFormat $DateTimeFormat -NumberAsString:$NumberAsString -BoolAsString:$BoolAsString -Depth $InitialDepth -MaxDepth $MaxDepth -TextBuilder $TextBuilder -NewLineFormat $NewLineFormat -NewLineFormatProperty $NewLineFormatProperty -Force:$Force -ArrayJoin:$ArrayJoin -ArrayJoinString $ArrayJoinString -AdvancedReplace $AdvancedReplace
Context Information:
DetailSequence=3
DetailTotal=3
SequenceNumber=1123175
UserId=DOMAIN\SERVER_ADMIN
HostName=ConsoleHost
HostVersion=5.1.17763.4974
HostId=335d65a3-d3f1-4f48-bdd1-c8d71b5b42bb
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=5.1.17763.4974
RunspaceId=47d76c5f-ed7c-497c-99ff-81db7d2db4f1
PipelineId=46
ScriptName=C:\Program Files\WindowsPowerShell\Modules\PSWriteHTML\1.9.0\PSWriteHTML.psm1
CommandLine= $Value = ConvertTo-StringByType -Value $Object[$a].$Property -DateTimeFormat $DateTimeFormat -NumberAsString:$NumberAsString -BoolAsString:$BoolAsString -Depth $InitialDepth -MaxDepth $MaxDepth -TextBuilder $TextBuilder -NewLineFormat $NewLineFormat -NewLineFormatProperty $NewLineFormatProperty -Force:$Force -ArrayJoin:$ArrayJoin -ArrayJoinString $ArrayJoinString -AdvancedReplace $AdvancedReplace
Details:
ParameterBinding(ConvertTo-StringByType): name="NewLineFormat"; value="System.Collections.Hashtable"
ParameterBinding(ConvertTo-StringByType): name="NewLineFormatProperty"; value="System.Collections.Hashtable"
ParameterBinding(ConvertTo-StringByType): name="Force"; value="True"
ParameterBinding(ConvertTo-StringByType): name="ArrayJoin"; value="True"
ParameterBinding(ConvertTo-StringByType): name="ArrayJoinString"; value=", "
ParameterBinding(ConvertTo-StringByType): name="AdvancedReplace"; value="System.Collections.Hashtable"
Over and over, only the sequence number is getting incremented. Is there a way to tell what is wrong?
Thank you
Would be nice to be able to pass in my PSCredential object that has the permissions needed rather than having to be logged in interactively as that user.
In version 0.0.156, you have a bit of code in GPOZaurr.psm1 at line 15301 which is meant to add the date ($DateName) to the filename for split reports. The problem seems to be that single reports are still being processed as "split" reports, and when you feed "invoke-GPOZaurr" a filename the resulting save path gets formatted in an unexpected way.
In the example output below, the filename "GPODuplicates_2022-12-07.html" is transformed into "GPODuplicates_2022-12-07_GPODuplicates_2022-12-07_140933.html":
...
[i][Start] Duplicate (CNF) Group Policies
[i][End ] Duplicate (CNF) Group Policies [Time to execute: 0 days, 0 hours, 0 minutes, 0 seconds, 594 milliseconds]
[i][HTML ] Generating HTML report (C:\inetpub\wwwroot\Domain Health\GPO Audits\2022-12-07\GPODuplicates_2022-12-07_GPODuplicates_2022-12-07_140933.html) for GPODuplicates with split reports
WARNING: Get-XMLGPO - Reading GPO content [XXX-GPO-S-C Hardening (v10.0.1)/DomainFQDN] returned an error.
This may be because of non-english language. Assesing EMPTY using old method which can report false positives. Be
careful please.
In issue #10 you have seen this error in a Dutch language GPO. I am seeing it in an English language GPO.
The policy has user settings disabled and contains both Policies and Preferences. There are multiple policies but a single preference. In GPMC, it shows an error for the preference:
An unknown error occurred while data was gathered for this extension. Details: Could not find file '\\DomainControllerFQDN\sysvol\DomainFQDN\Policies\{GUIDstring}\Machine\Preferences\Registry\Registry.xml'.
I'm happy to help if you want to incorporate this in your marvellous module. Otherwise, I'm happy for you to close as a known issue.
In 0.0.154, during tests that analyze permissions, and while running on a Domain Controllers, I see the warning message "Get-LocalComputerSid - Error: You cannot call a method on a null-valued expression." It appears repeatedly, perhaps for every GPO being analyzed.
Is this something to address, or truly just informational? I only see one minor permissions issue among my GPOs.
Wanted to request the ability for the 'Group Policy Content' report to show all subfolders specifically for Google Chrome ADMX templates.
Currently, GPOZaurr only shows the top-level settings: (i.e. Policies -> Administrative Templates -> Google -> Google Chrome)
It doesn't show any of the settings nested in any of the following subfolders however:
Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit .
In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
Right-click the Registry node, point to New, and select Registry Wizard.
Select the reference workstation on which the desired registry settings exist, then click Next .
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\
and select the check box for “SrvsvcSessionInfo” from which you want to create a Registry preference item. Select the check box for a key only if you want to create a Registry item for the key rather than for a value within the key.
Click Finish.
The settings that you selected appear as preference items in the Registry Wizard Values collection
This is on the TODO list - the ability to take whatever GPOAnalysis shows, connect it with GPOLinks, and based on those 2 create analysis on:
This will take a while - and I haven't started yet - i have some ideas - but feel free to chime in.
How would I go about adding more entries to this? I'd like to include Office 20xxx as well besides just Outlook. This would be great as folks transition from Office 201x to Office 365.
The "Group Policy Owners" tab shows AGPM GMSA accounts as "Non-Administrative Owners" in report instead of "Non-Administrative, but approved Owners (for example AGPM)". Could be due to needing Get-ADServiceAccount instead of Get-ADUser when using service accounts. GMSA account is a member of "Group Policy Creator Owners" group.
shows this error
"WARNING: Get-WinADForestDetails - Error discovering DC for Forest - Could not find a forest identified by: %mydomain%"
and then outputs a file that everything is showing as good with zeros
I got told i got some empty GPO's and went in to check them but they aren't empty at all. They got user/comp settings so i'm really confused on how to deal with those at the moment.
If any more info is needed or some screens etc, feel free to ask me.
Dear Przemysław
Improve GPO folder redirection report (Policy.User.ExtensionData - Folder Redirection). Add FolderType nice names in addition to Id:
function ConvertTo-XMLFolderRedirection {
[cmdletBinding()]
param(
[PSCustomObject] $GPO,
[switch] $SingleObject
)
$FolderID = @{
"{1777F761-68AD-4D8A-87BD-30B759FA33DD}" = "Favorites"
"{FDD39AD0-238F-46AF-ADB4-6C85480369C7}" = "Documents"
"{33E28130-4E1E-4676-835A-98395C3BC3BB}" = "Pictures"
"{4BD8D571-6D19-48D3-BE97-422220080E43}" = "Music"
"{18989B1D-99B5-455B-841C-AB7C74E4DDFC}" = "Videos"
"{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" = "AppDataRoaming"
"{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" = "Desktop"
"{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}" = "StartMenu"
"{374DE290-123F-4565-9164-39C4925E467B}" = "Downloads"
"{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}" = "Saved Games"
"{56784854-C6CB-462B-8169-88E350ACB882}" = "Contacts"
"{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}" = "Searches"
"{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}" = "Links"
}
if ($SingleObject) {
$CreateGPO = [ordered]@{
DisplayName = $GPO.DisplayName
DomainName = $GPO.DomainName
GUID = $GPO.GUID
GpoType = $GPO.GpoType
#GpoCategory = $GPOEntry.GpoCategory
#GpoSettings = $GPOEntry.GpoSettings
Count = 0
Settings = $null
}
[Array] $CreateGPO['Settings'] = foreach ($Folder in $GPO.DataSet) {
foreach ($Location in $Folder.Location) {
[PSCustomObject] @{
DestinationPath = $Location.DestinationPath
SecuritySID = $Location.SecurityGroup.SID.'#text'
SecurityName = $Location.SecurityGroup.Name.'#text'
GrantExclusiveRights = if ($Folder.GrantExclusiveRights -eq 'true') { $true } else { $false }
MoveContents = if ($Folder.MoveContents -eq 'true') { $true } else { $false }
FollowParent = if ($Folder.FollowParent -eq 'true') { $true } else { $false }
ApplyToDownLevel = if ($Folder.ApplyToDownLevel -eq 'true') { $true } else { $false }
DoNotCare = if ($Folder.DoNotCare -eq 'true') { $true } else { $false }
RedirectToLocal = if ($Folder.RedirectToLocal -eq 'true') { $true } else { $false }
PolicyRemovalBehavior = $Folder.PolicyRemovalBehavior # : LeaveContents
ConfigurationControl = if ($Folder.ConfigurationControl -eq 'GP') { 'Group Policy' } else { $Folder.ConfigurationControl } # : GP
PrimaryComputerEvaluation = $Folder.PrimaryComputerEvaluation # : PrimaryComputerPolicyDisabled
}
}
}
$CreateGPO['Count'] = $CreateGPO['Settings'].Count
$CreateGPO['Linked'] = $GPO.Linked
$CreateGPO['LinksCount'] = $GPO.LinksCount
$CreateGPO['Links'] = $GPO.Links
[PSCustomObject] $CreateGPO
} else {
foreach ($Folder in $GPO.DataSet) {
foreach ($Location in $Folder.Location) {
$CreateGPO = [ordered]@{
DisplayName = $GPO.DisplayName
DomainName = $GPO.DomainName
GUID = $GPO.GUID
GpoType = $GPO.GpoType
FolderType = $FolderID.( $GPO.Id )
Id = $Folder.Id
DestinationPath = $Location.DestinationPath
SecuritySID = $Location.SecurityGroup.SID.'#text'
SecurityName = $Location.SecurityGroup.Name.'#text'
GrantExclusiveRights = if ($Folder.GrantExclusiveRights -eq 'true') { $true } else { $false }
MoveContents = if ($Folder.MoveContents -eq 'true') { $true } else { $false }
FollowParent = if ($Folder.FollowParent -eq 'true') { $true } else { $false }
ApplyToDownLevel = if ($Folder.ApplyToDownLevel -eq 'true') { $true } else { $false }
DoNotCare = if ($Folder.DoNotCare -eq 'true') { $true } else { $false }
RedirectToLocal = if ($Folder.RedirectToLocal -eq 'true') { $true } else { $false }
PolicyRemovalBehavior = $Folder.PolicyRemovalBehavior # : LeaveContents
ConfigurationControl = if ($Folder.ConfigurationControl -eq 'GP') { 'Group Policy' } else { $Folder.ConfigurationControl } # : GP
PrimaryComputerEvaluation = $Folder.PrimaryComputerEvaluation # : PrimaryComputerPolicyDisabled
Linked = $GPO.Linked
LinksCount = $GPO.LinksCount
Links = $GPO.Links
}
[PSCustomObject] $CreateGPO
}
}
}
}
I ran this:
$GPOInconsistentPerms = Get-GPOZaurrPermissionConsistency -IncludeDomains (Get-ADDomain).DNSRoot
and then this:
$GPOInconsistentPerms.Where({ $_.id -eq '15b4308d-9faf-425a-ba63-a786b916f242'})
and got no output, which was odd as I'd copied the GUID from the Invoke-GPOZaurr
report I'd also just run. After too much fiddling and not enough thinking, I tab-completed it and got this:
$GPOInconsistentPerms[101].'Id '
Looking in the file for Get-GPOZaurrPermissionConsistency
on line 99, you have this:
$Object['Id '] = $_.Id # : 8a7bc515-d7fd-4d1f-90b8-e47c15f89295
Is it supposed to be like that?
Find GPOs in links that no longer exist but haven't been unlinked.
Get-PrivGPOZaurrLink - Couldn't find link domainlEDE5A6AC-21E0-430B-968A-7F92BFC1E8A4 in a GPO Cache. Lack of permissions for given GPO? Are you running as admin? Skipping.
GPOZaurr seems to error when using Group Managed Service Accounts in GPOs
Is it possible to implement a new section where all group policies are listed including all set keys and values?
That would be very helpful to search all group policies for a special keyword.
Right now I'm using a powershell command to do this but I prefer using your outstanding HTML report :)
$String = "gotomeeting"
$Domain = "TEST.LOCAL"
$NearestDC = (Get-ADDomainController -Discover -NextClosestSite).Name
#Get a list of GPOs from the domain
$GPOs = Get-GPO -All -Domain $Domain -Server $NearestDC | sort DisplayName
#Go through each Object and check its XML against $String
Foreach ($GPO in $GPOs) {
Write-Host "Working on $($GPO.DisplayName)"
#Get Current GPO Report (XML)
$CurrentGPOReport = Get-GPOReport -Guid $GPO.Id -ReportType Xml -Domain $Domain -Server $NearestDC
If ($CurrentGPOReport -match $String) {
Write-Host "A Group Policy matching ""$($String)"" has been found:" -Foregroundcolor Green
Write-Host "- GPO Name: $($GPO.DisplayName)" -Foregroundcolor Green
Write-Host "- GPO Id: $($GPO.Id)" -Foregroundcolor Green
Write-Host "- GPO Status: $($GPO.GpoStatus)" -Foregroundcolor Green
}
}
Hi All
First time I am posting an issue in githib for any project, Hopefully I am doing this correctly
I have run the following
PS C:\Windows\system32> Invoke-GPOZaurr -verbose [i][GPOZaurr] Version [Informative] Current/Latest: 1.0.0 at 09/17/2023 09:11:39 [i][GPOZaurr] Domain Information [Informative] Forest: Not defined. Using current one [i][GPOZaurr] Domain Information [Informative] Included Domains: Not defined. Using all domains of forest [i][GPOZaurr] Domain Information [Informative] Excluded Domains: No exclusions provided
and then the report opens
file:///C:/Users/./AppData/Local/Temp/hi0cz3ju.html#WizardStep-jy3gd9i2
Going to
Or this RAW code <html><body><!--StartFragment-->DisplayName | DomainName | GUID | GpoType | DoNotRequestAlternateCredentials | RequestCredentialsForNetworkInstallations | TurnOffPreviewPane | SetADefaultAssociationsConfigurationFile | SetADefaultAssociationsConfigurat-- | -- | -- | -- | -- | -- | -- | -- | --<!--EndFragment--></body></html>
Is this a bug?
Regards
Iain
I am not sure if this is even possible... But, it would be nice if it was possible to run this against a remote server. I have a server that I cannot update PowerShell on that I would like to check using its replacement that is a 2019 Std server.
Would be great to have EvergreenADmX as part of GPOzaurr, not thinking about an own commandlet rather having the option to make it more popular and updating ADMX while doing GPO house keeping isn't a bad idea (recommended at least even once a year).
X509Certificate2 cert = new X509Certificate2(data.Certificate);
Not an issue and I really love the work you've done, it's an amazing reporting utility and really impressive work.
I'm not sure how feasible this idea really is. Basically, I'd like to run the report daily and have it compared against the previous days report. If there are no changes then simply keep the previous days report. If there have been changes then save the new one with the current date and highlight changes. This keeps both copies for historical comparison.
First off I just wanted to compare the HTML files but I realised each one has certain unique aspects anyway. The time it was generated for example. My next thought is to find a way to filter through the HTML just to the table with the data I want in it but I can't seem to get to the table.
Cheers for any thoughts or ideas you can throw my way.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.