Orphaned Group Policies
Group Policy Owners
GPO Permissions Consistency
Duplicate (CNF) Group Policies
Group Policy Summary
Group Policy Administrative Permissions
Group Policy Authenticated Users Permissions
Group Policy Unknown Permissions
NetLogon Owners
Group Policies are stored in two places - Active Directory (metadata) and SYSVOL (content).Since those are managed in different ways, replicated in different ways it's possible because of different issues they get out of sync.
For example:
- USN Rollback in AD could cause already deleted Group Policies to reapper in Active Directory, yet SYSVOL data would be unavailable
- Group Policy deletion failing to delete GPO content
- Permission issue preventing deletion of GPO content
- Failing DFSR replication between DCs
Following problems were detected:
- Group Policies on SYSVOL, but no details in AD: 2
- Group Policies in AD, but no content on SYSVOL: 1
- Group Policies which couldn't be assed due to permissions issue: 1
Following domains require actions (permissions required):
- ad.evotec.pl requires 0 changes.
- ad.evotec.xyz requires 3 changes.
Please review output in table and follow the steps below table to get Active Directory Group Policies in healthy state.
| DisplayName | Status | DomainName | SysvolServer | SysvolStatus | GpoStatus | Owner | FileOwner | Id | Path | DistinguishedName | Description | CreationTime | ModificationTime | UserVersion | ComputerVersion | WmiFilter | Error |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DisplayName | Status | DomainName | SysvolServer | SysvolStatus | GpoStatus | Owner | FileOwner | Id | Path | DistinguishedName | Description | CreationTime | ModificationTime | UserVersion | ComputerVersion | WmiFilter | Error |
To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery.
Install-Module GPOZaurr -Force Import-Module GPOZaurr -Force
Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step.
Depending when this report was run you may want to prepare new report before proceeding with removal. To generate new report please use:
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrBrokenGpoBefore.html -Verbose -Type GPOOrphans
When executed it will take a while to generate all data and provide you with new report depending on size of environment.Once confirmed that data is still showing issues and requires fixing please proceed with next step.
Alternatively if you prefer working with console you can run:
$GPOOutput = Get-GPOZaurrBroken -Verbose $GPOOutput | Format-Table
It provides same data as you see in table above just doesn't prettify it for you.
The process fixing broken GPOs will delete AD or SYSVOL content depending on type of a problem. While it's always useful to have a backup, this backup won't actually backup those broken group policies for a simple reason that those are not backupable. You can't back up GPO if there is no SYSVOL content and you can't backup GPO if there's only SYSVOL content. However, since the script does make changes to GPOs it's advised to have a backup anyways!
$GPOSummary = Backup-GPOZaurr -BackupPath "$Env:UserProfile\Desktop\GPO" -Verbose -Type All $GPOSummary | Format-Table # only if you want to display output of backup
Above command when executed will make a backup to Desktop, create GPO folder and within it it will put all those GPOs.
Following command when executed runs cleanup procedure that removes all broken GPOs on SYSVOL side. Make sure when running it for the first time to run it with WhatIf parameter as shown below to prevent accidental removal. When run it will remove any GPO remains from SYSVOL, that should not be there, as AD metadata is already gone.Please notice I'm using SYSVOL as a type, because the removal will happen on SYSVOL.
Remove-GPOZaurrBroken -Type SYSVOL -WhatIf -Verbose
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Remove-GPOZaurrBroken -Type SYSVOL -WhatIf -IncludeDomains 'YourDomainYouHavePermissionsFor' -Verbose
After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be deleted matches expected data. Keep in mind that what backup command does is simply copy SYSVOL content to given place. Since there is no GPO metadata in AD there's no real restore process for this step. It's there to make sure if someone kept some data in there and wants to get access to it, he/she can.
Once happy with results please follow with command (this will start deletion process):
Remove-GPOZaurrBroken -Type SYSVOL -LimitProcessing 2 -BackupPath $Env:UserProfile\Desktop\GPOSYSVOLBackup -Verbose
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Remove-GPOZaurrBroken -Type SYSVOL -LimitProcessing 2 -BackupPath $Env:UserProfile\Desktop\GPOSYSVOLBackup -IncludeDomains 'YourDomainYouHavePermissionsFor' -Verbose
This command when executed deletes only first X broken GPOs. Use LimitProcessing parameter to prevent mass delete and increase the counter when no errors occur. Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly. If there's nothing else to be deleted on SYSVOL side, we can skip to next step step.
Following command when executed runs cleanup procedure that removes all broken GPOs on Active Directory side.Make sure when running it for the first time to run it with WhatIf parameter as shown below to prevent accidental removal.When run it will remove any GPO remains from AD, that should not be there, as SYSVOL content is already gone.Please notice I'm using AD as a type, because the removal will happen on AD side.
Remove-GPOZaurrBroken -Type AD -WhatIf -Verbose
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Remove-GPOZaurrBroken -Type AD -WhatIf -IncludeDomains 'YourDomainYouHavePermissionsFor' -Verbose
After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be deleted matches expected data. Keep in mind that there is no backup for this. Since there is no SYSVOL data, and only AD object is there there's no real restore process for this step. Once you delete it, it's gone.
Once happy with results please follow with command (this will start deletion process):
Remove-GPOZaurrBroken -Type AD -LimitProcessing 2 -Verbose
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Remove-GPOZaurrBroken -Type AD -LimitProcessing 2 -IncludeDomains 'YourDomainYouHavePermissionsFor' -Verbose
This command when executed deletes only first X broken GPOs. Use LimitProcessing parameter to prevent mass delete and increase the counter when no errors occur. Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly. If there's nothing else to be deleted on AD side, we can skip to next step step.
Once cleanup task was executed properly, we need to verify that report now shows no problems.
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrBrokenGpoAfter.html -Verbose -Type GPOOrphans
If everything is healthy in the report you're done! Enjoy rest of the day!
By default GPO creation is usually maintained by Domain Admins or Enterprise Admins. When GPO is created by member of Domain Admins or Enterprise Admins group the GPO Owner is set to Domain Admins. When GPO is created by member of Group Policy Creator Owners or other group has delegated rights to create a GPO the owner of said GPO is not Domain Admins group but is assigned to relevant user. GPO Owners should be Domain Admins or Enterprise Admins to prevent abuse. If that isn't so it means owner is able to fully control GPO and potentially change it's settings in uncontrolled way. While at the moment of creation of new GPO it's not a problem, in long term it's possible such person may no longer be admin, yet keep their rights over GPO.
As you're aware Group Policies are stored in 2 places. In Active Directory (metadata) and SYSVOL (settings). This means that there are 2 places where GPO Owners exists. This also means that for multiple reasons AD and SYSVOL can be out of sync when it comes to their permissions which can lead to uncontrolled ability to modify them. Ownership in Active Directory and Ownership of SYSVOL for said GPO are required to be the same.
Here's a short summary of Group Policy Owners:
- Administrative Owners: 45
- Non-Administrative Owners: 1
- Owners consistent in AD and SYSVOL: 45
- Owners not-consistent in AD and SYSVOL: 1
Following will need to happen:
- Group Policies requiring owner change: 0
- Group Policies which can't be fixed (no SYSVOL?): 1
- Group Policies unaffected: 45
Following domains require actions (permissions required):
- ad.evotec.pl requires 0 changes.
- ad.evotec.xyz requires 0 changes.
Following domains require fixing using, different methods:
- ad.evotec.pl requires 0 changes.
- ad.evotec.xyz requires 1 changes.
| DisplayName | DomainName | GUID | Owner | OwnerSid | OwnerType | SysvolOwner | SysvolSid | SysvolType | SysvolPath | IsOwnerConsistent | IsOwnerAdministrative | SysvolExists | DistinguishedName |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DisplayName | DomainName | GUID | Owner | OwnerSid | OwnerType | SysvolOwner | SysvolSid | SysvolType | SysvolPath | IsOwnerConsistent | IsOwnerAdministrative | SysvolExists | DistinguishedName |
To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery.
Install-Module GPOZaurr -Force Import-Module GPOZaurr -Force
Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step.
Depending when this report was run you may want to prepare new report before proceeding with fixing Group Policy Owners. To generate new report please use:
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrGPOOwnersBefore.html -Verbose -Type GPOOwners
When executed it will take a while to generate all data and provide you with new report depending on size of environment.Once confirmed that data is still showing issues and requires fixing please proceed with next step.
Alternatively if you prefer working with console you can run:
$OwnersGPO = Get-GPOZaurrOwner -IncludeSysvol -Verbose $OwnersGPO | Format-Table
It provides same data as you see in table above just doesn't prettify it for you.
The process of fixing GPO Owner does NOT touch GPO content. It simply changes owners on AD and SYSVOL at the same time. However, it's always good to have a backup before executing changes that may impact Active Directory.
$GPOSummary = Backup-GPOZaurr -BackupPath "$Env:UserProfile\Desktop\GPO" -Verbose -Type All $GPOSummary | Format-Table # only if you want to display output of backup
Above command when executed will make a backup to Desktop, create GPO folder and within it it will put all those GPOs.
Following command will find any GPO which doesn't have proper GPO Owner (be it due to inconsistency or not being Domain Admin) and will enforce new GPO Owner.
Make sure when running it for the first time to run it with WhatIf parameter as shown below to prevent accidental removal.
Set-GPOZaurrOwner -Type All -Verbose -WhatIf
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Set-GPOZaurrOwner -Type All -Verbose -WhatIf -IncludeDomains 'YourDomainYouHavePermissionsFor'
After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be changed matches expected data.
Once happy with results please follow with command (this will start fixing process):
Set-GPOZaurrOwner -Type All -Verbose -LimitProcessing 2
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Set-GPOZaurrOwner -Type All -Verbose -LimitProcessing 2 -IncludeDomains 'YourDomainYouHavePermissionsFor'
This command when executed sets new owner only on first X non-compliant GPO Owners for AD/SYSVOL. Use LimitProcessing parameter to prevent mass change and increase the counter when no errors occur. Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly.
Once cleanup task was executed properly, we need to verify that report now shows no problems.
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrGPOOwnersAfter.html -Verbose -Type GPOOwners
If everything is healthy in the report you're done! Enjoy rest of the day!
| Type | Comment | Reason | TargetName |
|---|---|---|---|
| Type | Comment | Reason | TargetName |
When GPO is created it creates an entry in Active Directory (metadata) and SYSVOL (content). Two different places meens two different sets of permissions. Group Policy module is making sure the data in both places is correct. However, for different reasons it's not nessecary the case and often permissions go out of sync between AD and SYSVOL. This test verifies consistency of policies between AD and SYSVOL in two ways. It checks top level permissions for a GPO, and then checks if all files within said GPO are inheriting permissions or have different permissions in place.
Following list presents permissions consistency between Active Directory and SYSVOL for Group Policies
- Top level permissions consistency: 45
- Inherited permissions consistency: 44
- Inconsistent top level permissions: 1
- Inconsistent inherited permissions: 2
Having incosistent permissions on AD in comparison to those on SYSVOL can lead to uncontrolled ability to modify them. Please notice that if Not available is visible in the table you should first fix related, more pressing issue, before fixing permissions inconsistency.
| DisplayName | DomainName | ACLConsistent | ACLConsistentInside | Owner | Path | SysVolPath | Id | GpoStatus | Description | CreationTime | ModificationTime | UserVersion | ComputerVersion | WmiFilter | Error | ACLConsistentInsideDetails |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DisplayName | DomainName | ACLConsistent | ACLConsistentInside | Owner | Path | SysVolPath | Id | GpoStatus | Description | CreationTime | ModificationTime | UserVersion | ComputerVersion | WmiFilter | Error | ACLConsistentInsideDetails |
| Type | Comment | Reason | TargetName |
|---|---|---|---|
| Type | Comment | Reason | TargetName |
Following steps will guide you how to fix permissions consistency
To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery.
Install-Module GPOZaurr -Force Import-Module GPOZaurr -Force
Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step.
Depending when this report was run you may want to prepare new report before proceeding fixing permissions inconsistencies. To generate new report please use:
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrPermissionsInconsistentBefore.html -Verbose -Type GPOConsistency
"When executed it will take a while to generate all data and provide you with new report depending on size of environment."
"Once confirmed that data is still showing issues and requires fixing please proceed with next step."
Alternatively if you prefer working with console you can run:
$GPOOutput = Get-GPOZaurrPermissionConsistency $GPOOutput | Format-Table # do your actions as desired
It provides same data as you see in table above just doesn't prettify it for you.
Following command when executed fixes inconsistent permissions.
Make sure when running it for the first time to run it with WhatIf parameter as shown below to prevent accidental removal.
Make sure to fill in TargetDomain to match your Domain Admin permission account
Repair-GPOZaurrPermissionConsistency -IncludeDomains "TargetDomain" -Verbose -WhatIf
After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be deleted matches expected data. Once happy with results please follow with command:
Repair-GPOZaurrPermissionConsistency -LimitProcessing 2 -IncludeDomains "TargetDomain"
This command when executed repairs only first X inconsistent permissions. Use LimitProcessing parameter to prevent mass fixing and increase the counter when no errors occur. Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly.
If there's nothing else to be fixed, we can skip to next step step
Unfortunetly this step is manual until automation is developed.
If there are inconsistent permissions found inside GPO one has to fix them manually by going into SYSVOL and making sure inheritance is enabled, and that permissions are consistent across all files.
Once cleanup task was executed properly, we need to verify that report now shows no problems.
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrPermissionsInconsistentAfter.html -Verbose -Type GPOConsistency
If everything is healthy in the report you're done! Enjoy rest of the day!
CNF objects, Conflict objects or Duplicate Objects are created in Active Directory when there is simultaneous creation of an AD object under the same container on two separate Domain Controllers near about the same time or before the replication occurs. This results in a conflict and the same is exhibited by a CNF (Duplicate) object. While it doesn't nessecary has a huge impact on Active Directory it's important to keep Active Directory in proper, healthy state.
As it stands currently there are 0 CNF (Duplicate) Group Policy objects to be deleted.
To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery.
Install-Module GPOZaurr -Force Import-Module GPOZaurr -Force
Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step.
Depending when this report was run you may want to prepare new report before proceeding fixing duplicate GPO objects. To generate new report please use:
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrDuplicateObjectsBefore.html -Verbose -Type GPODuplicates
"When executed it will take a while to generate all data and provide you with new report depending on size of environment. "
"Once confirmed that data is still showing issues and requires fixing please proceed with next step. "
Alternatively if you prefer working with console you can run:
$GPOOutput = Get-GPOZaurrDuplicateObject $GPOOutput | Format-Table # do your actions as desired
It provides same data as you see in table above just doesn't prettify it for you.
Following command when executed, runs internally command that lists all duplicate objects.
Make sure when running it for the first time to run it with WhatIf parameter as shown below to prevent accidental removal.
Remove-GPOZaurrDuplicateObject -WhatIf -Verbose
After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be changed matches expected data. Once happy with results please follow with command:
Remove-GPOZaurrDuplicateObject -Verbose -LimitProcessing 2
This command when executed removes only first X duplicate objects. Use LimitProcessing parameter to prevent mass delete and increase the counter when no errors occur. Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly.
Once cleanup task was executed properly, we need to verify that report now shows no problems.
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrDuplicateObjectsAfter.html -Verbose -Type GPODuplicates
If everything is healthy in the report you're done! Enjoy rest of the day!
Over time Administrators add more and more group policies, as business requirements change. Due to neglection or thinking it may serve it's purpose later on a lot of Group Policies often have no value at all. Either the Group Policy is not linked to anything and just stays unlinked forever, or GPO is linked, but the link (links) are disabled. Additionally sometimes new GPO is created without any settings or the settings are removed over time, but GPO stays in place.
- Group Policies total: 46
- Group Policies valid: 17
- Group Policies to delete: 29
- Group Policies that are unlinked (are not doing anything currently): 27
- Group Policies that are empty (have no settings): 10
- Group Policies that are linked, but empty: 1
- Group Policies that are linked, but link disabled: 1
- Group Policies that are disabled (both user/computer sections): 2
Keep in mind that each GPO can match multiple conditions such as being empty and unlinked and disabled at the same time. We're only deleting GPO once.
All empty or unlinked or disabled Group Policies can be automatically deleted. Please review output in the table and follow steps below table to cleanup Group Policies. GPOs that have content, but are disabled require manual intervention. If performance is an issue you should consider disabling user or computer sections of GPO when those are not used.
Additionally, we're reviewing Group Policies that have their section disabled, but contain data.
- Group Policies with problems: 3
- Group Policies that have content (computer), but are disabled: 2
- Group Policies that have content (user), but are disabled: 1
Such policies require manual review from whoever owns them. It could be a mistake tha section was disabled while containing data or that content is no longer needed in which case it should be deleted. This can't be auto-handled and is INFORMATIONAL only.
Moreover, for best performance it's recommended that if there are no settings of certain kind (Computer or User settings) it's best to disable whole section.
- Group Policies with optimization:
- Group Policies that are optimized (computer) 28
- Group Policies that are optimized (user): 10
- Group Policies without optimization:
- Group Policies that are not optimized (computer): 18
- Group Policies that are not optimized (user): 36
This means 44 could be optimized for performance reasons.
Explanation to table columns:
- Empty - means GPO has currently no content. It could be there was content, but it was removed, or that it never had content.
- Linked - means GPO is linked or unlinked. We need at least one link that is enabled to mark it as linked. If GPO is linked, but all links are disabled, it's not linked.
- Enabled - means GPO has at least one section enabled. If enabled is set to false that means both sections are disabled, and therefore GPO is not active.
- Optimized - means GPO section that is not in use is disabled. If section (user or computer) is enabled and there is no content, it's not optimized.
- Problem - means GPO has one or more section (user or computer) that is disabled, yet there is content in it.
| DisplayName | DomainName | GUID | Empty | Linked | Enabled | Optimized | Problem | Exclude | ComputerPolicies | UserPolicies | LinksCount | LinksEnabledCount | LinksDisabledCount | EnabledDetails | ComputerProblem | ComputerOptimized | UserProblem | UserOptimized | ComputerSettingsAvailable | UserSettingsAvailable | ComputerSettingsAvailableReal | UserSettingsAvailableReal | ComputerSettingsTypes | UserSettingsTypes | ComputerEnabled | UserEnabled | ComputerSettingsStatus | ComputerSetttingsVersionIdentical | ComputerSettings | UserSettingsStatus | UserSettingsVersionIdentical | UserSettings | NoSettings | CreationTime | ModificationTime | ReadTime | WMIFilter | WMIFilterDescription | GPODistinguishedName | SDDL | Owner | OwnerSID | OwnerType | ACL | Auditing | Links | LinksObjects | GPOObject |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DisplayName | DomainName | GUID | Empty | Linked | Enabled | Optimized | Problem | Exclude | ComputerPolicies | UserPolicies | LinksCount | LinksEnabledCount | LinksDisabledCount | EnabledDetails | ComputerProblem | ComputerOptimized | UserProblem | UserOptimized | ComputerSettingsAvailable | UserSettingsAvailable | ComputerSettingsAvailableReal | UserSettingsAvailableReal | ComputerSettingsTypes | UserSettingsTypes | ComputerEnabled | UserEnabled | ComputerSettingsStatus | ComputerSetttingsVersionIdentical | ComputerSettings | UserSettingsStatus | UserSettingsVersionIdentical | UserSettings | NoSettings | CreationTime | ModificationTime | ReadTime | WMIFilter | WMIFilterDescription | GPODistinguishedName | SDDL | Owner | OwnerSID | OwnerType | ACL | Auditing | Links | LinksObjects | GPOObject |
Following steps will guide you how to remove empty or unlinked group policies
To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery.
Install-Module GPOZaurr -Force Import-Module GPOZaurr -Force
Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step.
Depending when this report was run you may want to prepare new report before proceeding with removal. To generate new report please use:
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrEmptyUnlinked.html -Verbose -Type GPOList
When executed it will take a while to generate all data and provide you with new report depending on size of environment.Once confirmed that data is still showing issues and requires fixing please proceed with next step.
Alternatively if you prefer working with console you can run:
$GPOOutput = Get-GPOZaurr $GPOOutput | Format-Table
It provides same data as you see in table above just doesn't prettify it for you.
The process of deleting Group Policies is final. Once GPO is removed - it's gone. To make sure you can recover deleted GPO please make sure to back them up.
$GPOSummary = Backup-GPOZaurr -BackupPath "$Env:UserProfile\Desktop\GPO" -Verbose -Type All $GPOSummary | Format-Table # only if you want to display output of backup
Above command when executed will make a backup to Desktop, create GPO folder and within it it will put all those GPOs. Keep in mind that Remove-GPOZaurr command also has a backup feature built-in. It's possible to skip this backup and use the backup provided as part of Remove-GPOZaurr command.
Following command when executed removes every EMPTY or NOT LINKED Group Policy. Make sure when running it for the first time to run it with WhatIf parameter as shown below to prevent accidental removal.Make sure to use BackupPath which will make sure that for each GPO that is about to be deleted a backup is made to folder on a desktop.You can skip parameters related to backup if you did backup all GPOs prior to running remove command.
Remove-GPOZaurr -Type Empty, Unlinked -BackupPath "$Env:UserProfile\Desktop\GPO" -Verbose -WhatIf
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Remove-GPOZaurr -Type Empty, Unlinked -BackupPath "$Env:UserProfile\Desktop\GPO" -Verbose -WhatIf -IncludeDomains 'YourDomainYouHavePermissionsFor'
After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be deleted matches expected data.
Once happy with results please follow with command (this will start fixing process):
Remove-GPOZaurr -Type Empty, Unlinked -BackupPath "$Env:UserProfile\Desktop\GPO" -LimitProcessing 2 -Verbose
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Remove-GPOZaurr -Type Empty, Unlinked -BackupPath "$Env:UserProfile\Desktop\GPO" -LimitProcessing 2 -Verbose -IncludeDomains 'YourDomainYouHavePermissionsFor'
This command when executed deletes only first X empty or unlinked GPOs. Use LimitProcessing parameter to prevent mass delete and increase the counter when no errors occur.Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly.Please make sure to check if backup is made as well before going all in.
If there's nothing else to be deleted on SYSVOL side, we can skip to next step step
Following command when executed removes every DISABLED Group Policy. Make sure when running it for the first time to run it with WhatIf parameter as shown below to prevent accidental removal.Make sure to use BackupPath which will make sure that for each GPO that is about to be deleted a backup is made to folder on a desktop.You can skip parameters related to backup if you did backup all GPOs prior to running remove command.
Remove-GPOZaurr -Type Disabled -BackupPath "$Env:UserProfile\Desktop\GPO" -Verbose -WhatIf
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Remove-GPOZaurr -Type Disabled -BackupPath "$Env:UserProfile\Desktop\GPO" -Verbose -WhatIf -IncludeDomains 'YourDomainYouHavePermissionsFor'
After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be deleted matches expected data.
Once happy with results please follow with command (this will start fixing process):
Remove-GPOZaurr -Type Disabled -BackupPath "$Env:UserProfile\Desktop\GPO" -LimitProcessing 2 -Verbose
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Remove-GPOZaurr -Type Disabled -BackupPath "$Env:UserProfile\Desktop\GPO" -LimitProcessing 2 -Verbose -IncludeDomains 'YourDomainYouHavePermissionsFor'
This command when executed deletes only first X disabled GPOs. Use LimitProcessing parameter to prevent mass delete and increase the counter when no errors occur. Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly. Please make sure to check if backup is made as well before going all in.
If there's nothing else to be deleted, we can skip to next step step.
Once cleanup task was executed properly, we need to verify that report now shows no problems.
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrEmptyUnlinkedAfter.html -Verbose -Type GPOList
If there are no more empty or unlinked GPOs in the report you're done! Enjoy rest of the day!
When GPO is created by default it gets Domain Admins and Enterprise Admins with Edit/Delete/Modify Security permissions. For some reason, some Administrators remove those permissions or modify them when they shouldn't touch those at all. Since having Edit/Delete/Modify Security permissions doesn't affect GPOApply permissions there's no reason to remove Domain Admins or Enterprise Admins from permissions, or limit their rights.
Assesment results:
- Group Policies requiring adding Domain Admins or Enterprise Admins: 2
- Group Policies which don't require changes: 44
Following domains require actions (permissions required):
- ad.evotec.pl requires 1 changes.
- ad.evotec.xyz requires 1 changes.
That means we need to fix permissions on: 2 out of 46 Group Policies.
| DisplayName | GUID | DomainName | Enabled | Description | CreationDate | ModificationTime | PermissionType | Permission | Inherited | PrincipalNetBiosName | PrincipalDistinguishedName | PrincipalDomainName | PrincipalName | PrincipalSid | PrincipalSidType | PrincipalObjectClass | GPOObject | GPOSecurity | GPOSecurityPermissionItem |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DisplayName | GUID | DomainName | Enabled | Description | CreationDate | ModificationTime | PermissionType | Permission | Inherited | PrincipalNetBiosName | PrincipalDistinguishedName | PrincipalDomainName | PrincipalName | PrincipalSid | PrincipalSidType | PrincipalObjectClass | GPOObject | GPOSecurity | GPOSecurityPermissionItem |
To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery.
Install-Module GPOZaurr -Force Import-Module GPOZaurr -Force
Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step.
Depending when this report was run you may want to prepare new report before proceeding with fixing Group Policy Authenticated Users. To generate new report please use:
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrGPOPermissionsAdministrativeBefore.html -Verbose -Type GPOPermissionsAdministrative
When executed it will take a while to generate all data and provide you with new report depending on size of environment. GPOs with problems will be those not having any value for Permission/PermissionType columns. Once confirmed that data is still showing issues and requires fixing please proceed with next step.
Alternatively if you prefer working with console you can run:
$AdministrativeUsers = Get-GPOZaurrPermission -Type Administrative -IncludePermissionType GpoEditDeleteModifySecurity -ReturnSecurityWhenNoData $AdministrativeUsers | Format-Table
It provides same data as you see in table above just doesn't prettify it for you.
The process of fixing GPO Permissions does NOT touch GPO content. It simply adds permissionss on AD and SYSVOL at the same time for given GPO. However, it's always good to have a backup before executing changes that may impact Active Directory.
$GPOSummary = Backup-GPOZaurr -BackupPath "$Env:UserProfile\Desktop\GPO" -Verbose -Type All $GPOSummary | Format-Table # only if you want to display output of backup
Above command when executed will make a backup to Desktop, create GPO folder and within it it will put all those GPOs.
Following command will find any GPO which doesn't have Domain Admins and Enterprise Admins added with GpoEditDeleteModifySecurity and will add it as GpoEditDeleteModifySecurity. This change doesn't change GpoApply permission, therefore it won't change to whom the GPO applies to. It ensures that Domain Admins and Enterprise Admins can manage GPO. Make sure when running it for the first time to run it with WhatIf parameter as shown below to prevent accidental adding of permissions.
Add-GPOZaurrPermission -Type Administrative -PermissionType GpoEditDeleteModifySecurity -All -WhatIf -Verbose
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Add-GPOZaurrPermission -Type Administrative -PermissionType GpoEditDeleteModifySecurity -All -WhatIf -Verbose -IncludeDomains 'YourDomainYouHavePermissionsFor'
After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be changed matches expected data.
Once happy with results please follow with command (this will start fixing process):
Add-GPOZaurrPermission -Type Administrative -PermissionType GpoEditDeleteModifySecurity -All -Verbose -LimitProcessing 2
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Add-GPOZaurrPermission -Type Administrative -PermissionType GpoEditDeleteModifySecurity -All -Verbose -LimitProcessing 2 -IncludeDomains 'YourDomainYouHavePermissionsFor'
This command when executed adds Enterprise Admins or/and Domain Admins (GpoEditDeleteModifySecurity permission) only on first X non-compliant Group Policies. Use LimitProcessing parameter to prevent mass change and increase the counter when no errors occur. Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly.
Once cleanup task was executed properly, we need to verify that report now shows no problems.
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrGPOPermissionsAdministrativeAfter.html -Verbose -Type GPOPermissionsAdministrative
If everything is healthy in the report you're done! Enjoy rest of the day!
| Type | Comment | Reason | TargetName |
|---|---|---|---|
| Type | Comment | Reason | TargetName |
When GPO is created one of the permissions that are required for proper functioning of Group Policies is NT AUTHORITY\Authenticated Users. Some Administrators don't follow best practices and trying to remove GpoApply permission, remove also GpoRead permission from a GPO which can have consequences.
On June 14th, 2016 Microsoft released HotFix that requires Authenticated Users to be present on all Group Policies to function properly:
MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context.
There are two parts to this assesment. Reading all Group Policies Permissions that account PRZEMYSLAW.KLYS has permissions to read and provide detailed assesment about permissions. Second assesment checks for permissions that this account is not able to read at all, and therefore it has no visibility about permissions set on it. We just were able to detect the problem, but hopefully higher level account (Domain Admin) should be able to provide full assesment.
First assesment results:
- Group Policies requiring Authenticated Users with GpoRead permission: 2
- Group Policies which don't require changes: 44
Following domains require actions (permissions required):
- ad.evotec.pl requires 0 changes.
- ad.evotec.xyz requires 2 changes.
Secondary assesment results:
- Group Policies couldn't read at all: 1
- Group Policies with permissions allowing read: 46
With split per domain (permissions required):
- ad.evotec.pl requires 0 changes out of 5.
- ad.evotec.xyz requires 1 changes out of 42.
That means we need to fix permissions on: 3 out of 47 Group Policies.
| DisplayName | GUID | DomainName | Enabled | Description | CreationDate | ModificationTime | PermissionType | Permission | Inherited | PrincipalNetBiosName | PrincipalDistinguishedName | PrincipalDomainName | PrincipalName | PrincipalSid | PrincipalSidType | PrincipalObjectClass |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DisplayName | GUID | DomainName | Enabled | Description | CreationDate | ModificationTime | PermissionType | Permission | Inherited | PrincipalNetBiosName | PrincipalDistinguishedName | PrincipalDomainName | PrincipalName | PrincipalSid | PrincipalSidType | PrincipalObjectClass |
| DisplayName | DomainName | PermissionIssue | ObjectClass | Name | DistinguishedName | GUID | WhenCreated | WhenChanged |
|---|---|---|---|---|---|---|---|---|
| DisplayName | DomainName | PermissionIssue | ObjectClass | Name | DistinguishedName | GUID | WhenCreated | WhenChanged |
To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery.
Install-Module GPOZaurr -Force Import-Module GPOZaurr -Force
Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step.
Depending when this report was run you may want to prepare new report before proceeding with fixing Group Policy Authenticated Users. To generate new report please use:
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrGPOPermissionsReadBefore.html -Verbose -Type GPOPermissionsRead
When executed it will take a while to generate all data and provide you with new report depending on size of environment. GPOs with problems will be those not having any value for Permission/PermissionType columns. Once confirmed that data is still showing issues and requires fixing please proceed with next step.
Alternatively if you prefer working with console you can run:
$AuthenticatedUsers = Get-GPOZaurrPermission -Type AuthenticatedUsers -ReturnSecurityWhenNoData $AuthenticatedUsers | Format-Table
It provides same data as you see in table above just doesn't prettify it for you.
The process of fixing GPO Permissions does NOT touch GPO content. It simply adds permissionss on AD and SYSVOL at the same time for given GPO. However, it's always good to have a backup before executing changes that may impact Active Directory.
$GPOSummary = Backup-GPOZaurr -BackupPath "$Env:UserProfile\Desktop\GPO" -Verbose -Type All $GPOSummary | Format-Table # only if you want to display output of backup
Above command when executed will make a backup to Desktop, create GPO folder and within it it will put all those GPOs.
Following command will find any GPO which doesn't have Authenticated User as GpoRead or GpoApply and will add it as GpoRead. This change doesn't change GpoApply permission, therefore it won't change to whom the GPO applies to. It ensures that COMPUTERS can read GPO properly to be able to Apply it. Make sure when running it for the first time to run it with WhatIf parameter as shown below to prevent accidental adding of permissions.
Add-GPOZaurrPermission -Type AuthenticatedUsers -PermissionType GpoRead -All -WhatIf -Verbose
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Add-GPOZaurrPermission -Type AuthenticatedUsers -PermissionType GpoRead -All -WhatIf -Verbose -IncludeDomains 'YourDomainYouHavePermissionsFor'
After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be changed matches expected data.
Once happy with results please follow with command (this will start fixing process):
Add-GPOZaurrPermission -Type AuthenticatedUsers -PermissionType GpoRead -All -Verbose -LimitProcessing 2
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Add-GPOZaurrPermission -Type AuthenticatedUsers -PermissionType GpoRead -All -Verbose -LimitProcessing 2 -IncludeDomains 'YourDomainYouHavePermissionsFor'
This command when executed adds Authenticated Users (GpoRead permission) only on first X non-compliant Group Policies. Use LimitProcessing parameter to prevent mass change and increase the counter when no errors occur. Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly.
Once cleanup task was executed properly, we need to verify that report now shows no problems.
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrGPOPermissionsReadAfter.html -Verbose -Type GPOPermissionsRead
If everything is healthy in the report you're done! Enjoy rest of the day!
| Type | Comment | Reason | TargetName |
|---|---|---|---|
| Type | Comment | Reason | TargetName |
Group Policies contain multiple permissions for different level of access. Be it adminstrative permissions, read permissions or apply permissions. Over time some users or groups get deleted for different reasons and such permission in Group Policies leave a trace in form of Unknown SID. Unknown SIDs can also be remains of Active Directory Trusts, that have been deleted or are otherwise unavailable. Following assesment detects all unknown permissions and provides them for review & deletion.
Assesment results:
- Group Policies requiring removal of unknown SIDs: 1
Following domains require actions (permissions required):
- ad.evotec.xyz requires 1 changes.
That means we need to remove 1 unknown permissions from Group Policies.
| DisplayName | GUID | DomainName | Enabled | Description | CreationDate | ModificationTime | PermissionType | Permission | Inherited | PrincipalNetBiosName | PrincipalDistinguishedName | PrincipalDomainName | PrincipalName | PrincipalSid | PrincipalSidType | PrincipalObjectClass |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DisplayName | GUID | DomainName | Enabled | Description | CreationDate | ModificationTime | PermissionType | Permission | Inherited | PrincipalNetBiosName | PrincipalDistinguishedName | PrincipalDomainName | PrincipalName | PrincipalSid | PrincipalSidType | PrincipalObjectClass |
To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery.
Install-Module GPOZaurr -Force Import-Module GPOZaurr -Force
Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step.
Depending when this report was run you may want to prepare new report before proceeding with removing unknown permissions. To generate new report please use:
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrGPOPermissionsUnknownBefore.html -Verbose -Type GPOPermissionsUnknown
When executed it will take a while to generate all data and provide you with new report depending on size of environment. The table only shows GPO and their unknown permissions. It doesn't show permissions that are not subject of this investigation. Once confirmed that data is still showing issues and requires fixing please proceed with next step.
Alternatively if you prefer working with console you can run:
$UnknownPermissions = Get-GPOZaurrPermission -Type Unknown $UnknownPermissions | Format-Table
It provides same data as you see in table above just doesn't prettify it for you.
The process of fixing GPO Permissions does NOT touch GPO content. It simply removes permissionss on AD and SYSVOL at the same time for given GPO. However, it's always good to have a backup before executing changes that may impact Active Directory.
$GPOSummary = Backup-GPOZaurr -BackupPath "$Env:UserProfile\Desktop\GPO" -Verbose -Type All $GPOSummary | Format-Table # only if you want to display output of backup
Above command when executed will make a backup to Desktop, create GPO folder and within it it will put all those GPOs.
Following command will find any GPO which has an unknown SID and will remove it. This change doesn't change any other permissions. It ensures that GPOs have no unknown permissions present. Make sure when running it for the first time to run it with WhatIf parameter as shown below to prevent accidental adding of permissions.
Remove-GPOZaurrPermission -Verbose -Type Unknown -WhatIf
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Remove-GPOZaurrPermission -Verbose -Type Unknown -WhatIf -IncludeDomains 'YourDomainYouHavePermissionsFor'
After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be changed matches expected data.
Once happy with results please follow with command (this will start fixing process):
Remove-GPOZaurrPermission -Verbose -Type Unknown -LimitProcessing 2
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Remove-GPOZaurrPermission -Verbose -Type Unknown -LimitProcessing 2 -IncludeDomains 'YourDomainYouHavePermissionsFor'
This command when executed removes only first X unknwon permissions from Group Policies. Use LimitProcessing parameter to prevent mass change and increase the counter when no errors occur. Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly.
Once cleanup task was executed properly, we need to verify that report now shows no problems.
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrGPOPermissionsUnknownAfter.html -Verbose -Type GPOPermissionsUnknown
If everything is healthy in the report you're done! Enjoy rest of the day!
| Type | Comment | Reason | TargetName |
|---|---|---|---|
| Type | Comment | Reason | TargetName |
NetLogon is crucial part of Active Directory. Files stored there are available on each and every computer or server in the company. Keeping those files clean and secure is very important task. It's important that NetLogon file owners are set to BUILTIN\Administrators (SID: S-1-5-32-544). Owners have full control over the file object. Current owner of the file may be an Administrator but it doesn't guarentee that he/she will be in the future. That's why as a best-practice it's recommended to change any non-administrative owners to BUILTIN\Administrators, and even Administrative accounts should be replaced with it.
- NetLogon Files in Total: 39
- NetLogon BUILTIN\Administrators as Owner: 39
- NetLogon Owners requiring change: 0
- Not Administrative: 0
- Administrative, but not BUILTIN\Administrators: 0
Follow the steps below table to get NetLogon Owners into compliant state.
| FullName | Status | DomainName | Extension | CreationTime | LastAccessTime | LastWriteTime | Attributes | Owner | OwnerSid | OwnerType | FullNameOnSysVol |
|---|---|---|---|---|---|---|---|---|---|---|---|
| FullName | Status | DomainName | Extension | CreationTime | LastAccessTime | LastWriteTime | Attributes | Owner | OwnerSid | OwnerType | FullNameOnSysVol |
To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery.
Install-Module GPOZaurr -Force Import-Module GPOZaurr -Force
Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step.
Depending when this report was run you may want to prepare new report before proceeding with removal. To generate new report please use:
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrNetLogonBefore.html -Verbose -Type NetLogonOwners
When executed it will take a while to generate all data and provide you with new report depending on size of environment.Once confirmed that data is still showing issues and requires fixing please proceed with next step.
Alternatively if you prefer working with console you can run:
$NetLogonOutput = Get-GPOZaurrNetLogon -OwnerOnly -Verbose $NetLogonOutput | Format-Table
It provides same data as you see in table above just doesn't prettify it for you.
Following command when executed runs internally command that lists all file owners and if it doesn't match changes it BUILTIN\Administrators. It doesn't change compliant owners.
Make sure when running it for the first time to run it with WhatIf parameter as shown below to prevent accidental removal.
Repair-GPOZaurrNetLogonOwner -Verbose -WhatIf
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Repair-GPOZaurrNetLogonOwner -Verbose -WhatIf -IncludeDomains 'YourDomainYouHavePermissionsFor'
After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be changed matches expected data.
Once happy with results please follow with command (this will start replacement of owners process):
This command when executed sets new owner only on first X non-compliant NetLogon files. Use LimitProcessing parameter to prevent mass change and increase the counter when no errors occur. Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly.
Repair-GPOZaurrNetLogonOwner -Verbose -LimitProcessing 2
Alternatively for multi-domain scenario, if you have limited Domain Admin credentials to a single domain please use following command:
Repair-GPOZaurrNetLogonOwner -Verbose -LimitProcessing 2 -IncludeDomains 'YourDomainYouHavePermissionsFor'
Once cleanup task was executed properly, we need to verify that report now shows no problems.
Invoke-GPOZaurr -FilePath $Env:UserProfile\Desktop\GPOZaurrNetLogonAfter.html -Verbose -Type NetLogonOwners
If everything is healthy in the report you're done! Enjoy rest of the day!
| Type | Comment | Reason | TargetName |
|---|---|---|---|
| Type | Comment | Reason | TargetName |