Powershell - Find GPO's for specific Group
-
Is this going to be an ongoing tool, or a one and done cmdlet?
-
@JasGot said in Powershell - Find GPO's for specific Group:
Is this going to be an ongoing tool, or a one and done cmdlet?
I thought it was going to be a one and done but believe I can use it more in the future so it will become an ongoing tool.
I've been "playing around" with RBAC for AD and make sure to use Groups for my GPO filtering. Top that off with using single function GPO's for specific groups, it can be a little rough trying to find what groups apply to some GPO's.
In the end, I'm thinking it would be nice to have a user, find the groups (possibly nested groups too) they belong to, which can automatically find all GPO's that affects this user on all systems.
I think this may be good for organizations of all sizes too. I get that large org's probably already have tools for this stuff.
-
@pmoncho said in Powershell - Find GPO's for specific Group:
I thought it was going to be a one and done but believe I can use it more in the future so it will become an ongoing tool.
Ok. Cool. I did a quick search and found many examples that search the entire GPO for search strings. This would be fine for a quick and dirty one off script. But maybe not for something that goes in your tool bag.
Maybe these will help you get closer to your goal.
https://www.itdroplets.com/searching-gpo-specific-setting-powershell/
https://gallery.technet.microsoft.com/scriptcenter/Search-all-GPOs-in-a-b155491cand one of my favorite Go-To sites for GPO ideas:
https://deployhappiness.com/searching-gpos-for-that-specific-setting/I hope you find something helpful here.
-
@JasGot said in Powershell - Find GPO's for specific Group:
@pmoncho said in Powershell - Find GPO's for specific Group:
I thought it was going to be a one and done but believe I can use it more in the future so it will become an ongoing tool.
Ok. Cool. I did a quick search and found many examples that search the entire GPO for search strings. This would be fine for a quick and dirty one off script. But maybe not for something that goes in your tool bag.
Maybe these will help you get closer to your goal.
https://www.itdroplets.com/searching-gpo-specific-setting-powershell/
https://gallery.technet.microsoft.com/scriptcenter/Search-all-GPOs-in-a-b155491cand one of my favorite Go-To sites for GPO ideas:
https://deployhappiness.com/searching-gpos-for-that-specific-setting/I hope you find something helpful here.
Thanks.
I will check those out. I was really hoping there would be a parameter for the Get-GPO cmdlet or the ability to filter but after many searches, it looks as those there will be a bunch of looping.
-
Here's a quick function I created going by your goal:
@pmoncho said in Powershell - Find GPO's for specific Group:
Goal - Find all GPO's that have "SomeGroupName" in Delegation Tab.
I can change it to a script you can run that takes parameters instead if that was how you planned on using it. But as it is below, it's meant to be used within a script or in ISE for example in the screenshots below.
I am using the
-eq, so the parameter you use for-GroupNameneeds to be exact. Otherwise, you can change it to-matchfor example.note I only tried this in PS v5.1
function Get-GPOGroupMatches { [cmdletbinding()] param( [Parameter(Mandatory)] [string]$GroupName ) $gpos = Get-GPO -All $list = foreach ($gpo in $gpos) { if ((Get-GPPermission -Name $gpo.DisplayName -All).Trustee.Name -eq $GroupName) { [PSCustomObject]@{ GPOName = $gpo.DisplayName } } } Write-Output -InputObject $list } # Example use(s): # Example 1: Get-GPOGroupMatches -GroupName "TestGroup1" # Example 2: $GPOs = Get-GPOGroupMatches -GroupName "TestGroup1" $GPOs.GPOName -
Aside from the script you are looking for, is there a reason why the delegation is that way or are you trying to limit access to those GPOs? Or cleaning them up?
-
@Obsolesce said in Powershell - Find GPO's for specific Group:
Here's a quick function I created going by your goal:
@pmoncho said in Powershell - Find GPO's for specific Group:
Goal - Find all GPO's that have "SomeGroupName" in Delegation Tab.
I can change it to a script you can run that takes parameters instead if that was how you planned on using it. But as it is below, it's meant to be used within a script or in ISE for example in the screenshots below.
I am using the
-eq, so the parameter you use for-GroupNameneeds to be exact. Otherwise, you can change it to-matchfor example.note I only tried this in PS v5.1
function Get-GPOGroupMatches { [cmdletbinding()] param( [Parameter(Mandatory)] [string]$GroupName ) $gpos = Get-GPO -All $list = foreach ($gpo in $gpos) { if ((Get-GPPermission -Name $gpo.DisplayName -All).Trustee.Name -eq $GroupName) { [PSCustomObject]@{ GPOName = $gpo.DisplayName } } } Write-Output -InputObject $list } # Example use(s): # Example 1: Get-GPOGroupMatches -GroupName "TestGroup1" # Example 2: $GPOs = Get-GPOGroupMatches -GroupName "TestGroup1" $GPOs.GPONameThank you very much @Obsolesce.
I will test it out in the ISE. Eventually a script is my goal, but not required. I greatly appreciate your help.
I currently stink at scripting so I will be learning from this also.
-
@dbeato said in Powershell - Find GPO's for specific Group:
Aside from the script you are looking for, is there a reason why the delegation is that way or are you trying to limit access to those GPOs? Or cleaning them up?
Its all of the above.
I created multiple GPO's (limiting the scope of each GPO) that affect only certain groups on the same RDS server. This is due to the upcoming changes in our LOB application and moving to our new 2019 RDS servers. I wanted to make it as easy for my internal users and external remote clients to have what the need while limiting access as much as possible (yes, I do believe I over-complicated things).
The main reason for the script was cleanup. It was rough finding the groups I delegated to each specific GPO's instead of fumbling through each one.
-
@Obsolesce said in Powershell - Find GPO's for specific Group:
Here's a quick function I created going by your goal:
@pmoncho said in Powershell - Find GPO's for specific Group:
Goal - Find all GPO's that have "SomeGroupName" in Delegation Tab.
I can change it to a script you can run that takes parameters instead if that was how you planned on using it. But as it is below, it's meant to be used within a script or in ISE for example in the screenshots below.
I am using the
-eq, so the parameter you use for-GroupNameneeds to be exact. Otherwise, you can change it to-matchfor example.note I only tried this in PS v5.1
The script works really well and much faster than the generic thing I had.
I added the following to the bottom to get input from the user:#Get Input from User $MyGroupName = Read-Host -Prompt "Please enter Group Name" # Example 3: $GPOs = Get-GPOGroupMatches -GroupName $MyGroupName $GPOs.GPOName -
@pmoncho said in Powershell - Find GPO's for specific Group:
@dbeato said in Powershell - Find GPO's for specific Group:
Aside from the script you are looking for, is there a reason why the delegation is that way or are you trying to limit access to those GPOs? Or cleaning them up?
Its all of the above.
I created multiple GPO's (limiting the scope of each GPO) that affect only certain groups on the same RDS server. This is due to the upcoming changes in our LOB application and moving to our new 2019 RDS servers. I wanted to make it as easy for my internal users and external remote clients to have what the need while limiting access as much as possible (yes, I do believe I over-complicated things).
The main reason for the script was cleanup. It was rough finding the groups I delegated to each specific GPO's instead of fumbling through each one.
I see, make it then a habit also to document changes
That will help ( I know I am stating the obvious) but it comes to bite you in the rear end a lot of times if not in place. -
@dbeato said in Powershell - Find GPO's for specific Group:
@pmoncho said in Powershell - Find GPO's for specific Group:
@dbeato said in Powershell - Find GPO's for specific Group:
Aside from the script you are looking for, is there a reason why the delegation is that way or are you trying to limit access to those GPOs? Or cleaning them up?
Its all of the above.
I created multiple GPO's (limiting the scope of each GPO) that affect only certain groups on the same RDS server. This is due to the upcoming changes in our LOB application and moving to our new 2019 RDS servers. I wanted to make it as easy for my internal users and external remote clients to have what the need while limiting access as much as possible (yes, I do believe I over-complicated things).
The main reason for the script was cleanup. It was rough finding the groups I delegated to each specific GPO's instead of fumbling through each one.
I see, make it then a habit also to document changes
That will help ( I know I am stating the obvious) but it comes to bite you in the rear end a lot of times if not in place.You are NOT kidding. I had a decent doc going but a little laziness and getting side tracked by management, and here we are! ugh! Lol
