Syspirit GPO (Group Policy Object) allows centralized configuration and management of user and computer settings in an Active Directory domain.
📦 Module Preparation
| 📌 Action | 🧠 PowerShell Command |
|---|---|
| 📦 Import GPO module | Import-Module GroupPolicy |
| ✅ Verify module | Get-Module GroupPolicy |
| 🔍 List GPO cmdlets | Get-Command -Module GroupPolicy |
| 📋 Cmdlet help | Get-Help Get-GPO -Examples |
📋 Viewing GPOs
| 📌 Action | 🧠 PowerShell Command |
|---|---|
| 📜 List all GPOs | Get-GPO -All |
| 🔍 Search for a GPO | Get-GPO -Name "Accounting-Policy" |
| 👁️ GPO details | Get-GPO -Name "Accounting-Policy" | Select-Object * |
| 🔗 GPOs linked to an OU | Get-GPInheritance -Target "OU=Accounting,DC=company,DC=com" |
| 🖥️ GPOs applied to a PC | Get-GPResultantSetOfPolicy -Computer "PC-ACCOUNTING-01" |
| 👤 User’s GPO | Get-GPResultantSetOfPolicy -User "jsmith" |
📊 Essential Export Scripts
📋 Export complete GPO list
# Export all GPOs with essential info
Get-GPO -All | Select-Object DisplayName, Id, GpoStatus, CreationTime, ModificationTime |
Export-Csv "C:\temp\gpo_list_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "GPO export completed: C:\temp\gpo_list_$(Get-Date -Format 'yyyyMMdd').csv"🔗 Export GPO links by OU
# Audit GPOs linked to important OUs
$OUs = @(
"OU=Management,DC=company,DC=com",
"OU=Accounting,DC=company,DC=com",
"OU=Sales,DC=company,DC=com"
)
$report = foreach ($ou in $OUs) {
$links = Get-GPInheritance -Target $ou
foreach ($link in $links.GpoLinks) {
[PSCustomObject]@{
OU = $ou
GPOName = $link.DisplayName
Enabled = $link.Enabled
Enforced = $link.Enforced
Order = $link.Order
}
}
}
$report | Export-Csv "C:\temp\gpo_links_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "GPO links export completed"📄 Export HTML report for a GPO
# Generate a detailed HTML report for a GPO
$gpoName = "General-Security-Policy"
$reportPath = "C:\temp\report_$($gpoName)_$(Get-Date -Format 'yyyyMMdd').html"
Get-GPOReport -Name $gpoName -ReportType Html -Path $reportPath
Write-Host "GPO report generated: $reportPath"🛠️ Useful Audit Scripts
🔍 Unused (orphan) GPOs
# Find GPOs not linked to any OU
$allGPOs = Get-GPO -All
$unusedGPOs = @()
foreach ($gpo in $allGPOs) {
$links = [xml](Get-GPOReport -Guid $gpo.Id -ReportType Xml)
if (-not $links.GPO.LinksTo) {
$unusedGPOs += [PSCustomObject]@{
Name = $gpo.DisplayName
Id = $gpo.Id
CreationTime = $gpo.CreationTime
ModificationTime = $gpo.ModificationTime
}
}
}
$unusedGPOs | Export-Csv "C:\temp\gpo_orphans_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Found $($unusedGPOs.Count) orphan GPOs"⚠️ Disabled or problematic GPOs
# Audit GPOs with issues
Get-GPO -All | Where-Object {
$_.GpoStatus -eq "AllSettingsDisabled" -or
$_.GpoStatus -eq "UserSettingsDisabled" -or
$_.GpoStatus -eq "ComputerSettingsDisabled"
} | Select-Object DisplayName, GpoStatus, ModificationTime |
Export-Csv "C:\temp\gpo_disabled_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation📈 Summary Reports
📊 Domain GPO statistics
# GPO overview
$allGPOs = Get-GPO -All
$enabledGPOs = $allGPOs | Where-Object {$_.GpoStatus -eq "Enabled"}
$disabledGPOs = $allGPOs | Where-Object {$_.GpoStatus -ne "Enabled"}
Write-Host "=== GPO Statistics ===" -ForegroundColor Green
Write-Host "Total GPOs: $($allGPOs.Count)"
Write-Host "Active GPOs: $($enabledGPOs.Count)" -ForegroundColor Green
Write-Host "Disabled GPOs: $($disabledGPOs.Count)" -ForegroundColor Yellow
Write-Host "Recently modified GPOs (7d): $(($allGPOs | Where-Object {$_.ModificationTime -gt (Get-Date).AddDays(-7)}).Count)"🔄 Recently modified GPOs
# GPOs modified in the last 30 days
$date = (Get-Date).AddDays(-30)
Get-GPO -All | Where-Object {$_.ModificationTime -gt $date} |
Select-Object DisplayName, ModificationTime |
Sort-Object ModificationTime -Descending |
Export-Csv "C:\temp\gpo_recent_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation🎯 Troubleshooting Commands
| 📌 Action | 🧠 PowerShell Command |
|---|---|
| 🔄 Force GPO update | gpupdate /force |
| 📊 View applied GPOs | gpresult /r |
| 👤 User scope GPO | gpresult /scope user /r |
| 🖥️ Computer scope GPO | gpresult /scope computer /r |
| 📄 User GPO report | gpresult /user jsmith /h C:\temp\gpo_user.html |
| 🖥️ Computer GPO report | gpresult /computer PC-ACCOUNTING-01 /h C:\temp\gpo_pc.html |
| 🔍 Test GPO resultant | Get-GPResultantSetOfPolicy -ReportType Html -Path C:\temp\rsop.html |
🚨 Common Troubleshooting
| 🆘 Problem | 🧠 Solution |
|---|---|
| Missing GPO module | Install-WindowsFeature GPMC |
| GPO not applying | Check OU links and application order |
| Insufficient permissions | Use domain admin account |
| Corrupted GPO | dcgpofix to restore default GPOs |
| Slow replication | Check repadmin /showrepl |