Hello All,
Welcome back. I was recently asked to work on the Group Policy and I am glad to come up with this post where we will see how to Find disabled GPOs using Powershell. But before we jump right in, lets see a few basic things for the guys who are new to this.
What is Group Policy Object (GPO)?
From Windows Server 2000, Microsoft introduced this feature which would help the System Administrators to define settings which can then to applied to a set of computers or users in the domain. This collection of settings that can define how a system works and how it will behave for a defined group of users which then can be used and applied is called Group policy Object.
Group Policy objects (GPOs) can be linked to the following Active Directory directory service containers: sites, domains, or organizational units (OUs). Group Policy is one of the main reasons that organizations actually deploy Active Directory.
You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). When the GPMC is installed on servers or client computers, the Windows PowerShell module is also installed.
So let us see how we can now find disabled GPOs using Powershell.
Find disabled GPOs using Powershell
Before you start using and discovering the various cmdlets associated with Group Policy, you need to make sure that you import the both the Group Policy and Active Directory modules before running these cmdlets.
Import-Module ActiveDirectory
Import-Module GroupPolicy
Ok, once you have that in place, you can now view what are the cmdlets at you disposal related to Group Policy by using below the below line.
Get-Command -Module GroupPolicy
For the purposes of today's post, we will be using only Get-GPO, you read more about the same here. Also use Get-Help to see some examples to have some basic understanding.
The final line that we will be using to find the list is as below:
Get-GPO -All | where {$_.GPOStatus -eq "AllSettingsDisabled"} | Sort-Object DisplayName
So let us examine what we are doing here. At first, we are listing all the GPOs that are already created in the forest. Once we have that information, we are filtering the once where the property value for GPOStatus is set to AllSettingsDisabled.
And finally we are sorting the data using the Display Name.
The reason I came up with this first was because we might have hundreds of GPOs to deal with and its easy to start deleting the ones which are already disabled and then move on to the more complicated ones.
I hope this was informative and you have read something of value, thank you for visiting!