Are my GPO's in Sync?

-
Do you ever wake up at night in a panic...wondering are all my GPO's syncd?  Me too!  So today I thought I would write a GPO script that would allow me to check the versions of all my GPO's!

As you know the GPO version number is stored in a TXT based file in the root of each {<random string>} GIUD number folder and in the TXT file is a version number value.

The script does the following:
  • Gets all the domain controllers in your domain (Checks if they are online or not)
  • Gets all of the {GUID's} in each servers sysvol (If the path exists)
  • Reads the version number for each one (If the file exists)
  • Reports if there are errors
  • Checks to see if all the versions match
  • Prints out a nice report of Server, GUID, Version
Required Modules:  ActiveDirectory
Required Permissions:  RunAs Administrator on a domain controller as a domain admin account.

Results:

Script:
      #Group Policy Version Checker

      $startpath = get-location | select path
      $startpath = $startpath.path

      import-module activedirectory
      $hostnames = (Get-ADForest).Domains | %{ Get-ADDomainController -Filter * -Server $_ } | select hostname
      $domain = (get-adforest).rootdomain
      $myArray = @()
      $serverList = @()
      $hostnames = $hostnames.hostname
      $count = 0

      foreach($srv in $hostnames){
      $ping = Test-NetConnection $srv | select PingSucceeded
      $ping = $ping.pingsucceeded
      if ($ping -like "true"){
      write-host $srv "reply from host successful"
      $serverlist += [string]$srv
      }
      }

      foreach ($server in $serverList){
      $path = "\\" + $server + "\sysvol\" + $domain + "\Policies\"
      #write-host $path
      set-location $path
      $folders = get-childitem -directory
      foreach($folder in $folders){
      #write-host $folder.name
      $subfolder = $folder.name
      $subpath = $path + $subfolder
      $pathcheck = test-path $subpath
      if ($pathcheck -eq $true){
      set-location $subpath
      $filecheck = test-path GPT.INI
      if ($filecheck -eq $true){
      $version = get-content GPT.INI | select-string "Version"
      $version = $version -split "="
      $version = $version[1]
      $PSO = New-Object PSObject -property @{Server=$server;Folder=$subfolder;Version=$version}
      $myArray += $PSO
      }
      }
      }
      }
      $myArray | Sort-Object -Property Folder
      #Grab Unique GPO Objects:
      $folderchk = $myArray |select folder
      $folderchk = $folderchk.folder
      $folderchk = $folderchk | select -uniq

      #Create array to track version numbers in loop
      $myversions = @()

      #Loop through myarray and assign each version number to myversions
      foreach ($gpo in $folderchk){
      foreach ($row in $myArray){

      if($row.folder -like $gpo){
      $myversions += $row.version
      }
      }
      $checkveruni = $myversions | select -uniq
      $checkveruni = $checkveruni.count
      if ($checkveruni -gt 1){
      write-host "Mismatch found in $row"
      $count++
      }else
      {
      #write-host "Versions Match for:" $gpo
      }
      $myversions = $null
      }

      set-location $startpath
      start-sleep -seconds 2
      if ($count -eq 0){write-host "Congratualtions all GPO versions are in sync in your domain!"}

I hope you enjoy the script and it can help you in some way!  I had fun writing it.

Comments

Post a Comment

Popular posts from this blog

Integrate Choco with SCCM

-
Image
Integrating Choco with SCCM Choco is well known and recently I've written on how to integrate choco with puppet as the control mechanism.  Today, I've explored how to do this with SCCM configuration manager.  This article assumes you have a working SCCM environment.  My lab environment was set up using Oracle's personal use virtual box and evaluation software provided by Microsoft's eval center and a Fedora host system.  (Let me know if you would like to know more about my setup) The reason I'm writing about this is to keep 3rd party software up to date leveraging choco packages as well as develop a standard deployment model for all software. High level steps: Create choco installer application in sccm. Create notepad++ installer and uninstaller applications in sccm. Upgrade notepad++ with supersedence Deploy non standard package (Comming soon) So to dig in, first we need to install choco on our SCCM clients.  In this test, I'm using SCCM appl...
Read more

Windows 11 22H2 production setup!

-
Image
Windows 11 22H2 production setup! I recently started to deploy windows 11 and to my chagrin found many applications that didn't align to the business needs such as recommended apps, tiktok, instagram etc, as well as other apps like Microsoft Teams, and Onedrive.  So this is a short blog and shout out to the resources I found to help tame this beast Microsoft released. Customize the start menu for the default profile to remove suggested apps for all users Uninstall bloatware for all users Customized Start Menu Log in as an admin account and customize the start menu they way you would like. Windows 11 stores the customized configuration under the users profile folder: c:\users\%user%\appdata\local\packages\Microsoft.Windows.StartMenuExperienceHost_%randomized%\localstate\start2.bin Copy this start2.bin file to somewhere on the network.  Like the sysvol domain controller. I wrote the script below to account for the randomization as the folder path is unique per windows install, b...
Read more

VPN Triggers

-
Ok, so I realize this post won't apply to most people, but I want to share this just in case it can save someone hours of digging for VPN PowerShell commands.   The other day I found myself with a strange request from a client, they wanted to push out a VPN connection profile from Intune, and enable it so that it always stays connected when the PC has an internet connection.  We the short version of the story is I have not done a full deployment of always on, the 2nd part of the story is they wanted to use the VPN connection as the primary network connection of the currently non-domain joined machines 200+.  To make a long story short I wasn't able to get the simple certificate services to enroll intune joined user certificates to connect to the internal PKI infrastructure as it failed to autoenroll with a very detailed error.  "NO DATA".  So welcome to plan B. B-Plan was a simple L2TP connection using the same RAS, NPS server.  One a profile wa...
Read more