Check GPOs ACL Ensure it Has Authenticated Users - Read

Hi, I am running the following to check and ensure all GPOs in our domain have authenticated users with read access and export it to a CSV. I am getting false results. Can someone please shed some light? Thank you!

Function Test-GPOAuthenticatedUsers{
#Load GPO module
Import-Module GroupPolicy

#Get all GPOs in current domain
$GPOs = Get-GPO -domain child.domain.com -all

#Check we have GPOs
if ($GPOs) {
#Loop through GPOs
foreach ($GPO in $GPOs) {
#Nullify $AuthUser
$AuthUser = $null

#See if we have an Auth Users perm
$AuthUser = Get-GPPermissions -Guid $GPO.Id -TargetName “Authenticated Users” -TargetType Group -ErrorAction SilentlyContinue

#Alert if we don’t have an ‘Authenticated Users’ permission
if (-not $AuthUser) {
$status = ‘Missing Authenticated Users Permission’
} #end of if (-not $AuthUser)
else {
#Alert on a custom permission
if ($AuthUser.Permission -eq “GpoCustom”) {
$Status = ‘Custom Authenticated Users Permission’
} #end of if (-not $AuthUser)
else{
$Status = $true
}
} #end of if (-not $AuthUser)
[pscustomobject]@{‘DisplayName’=$GPO.DisplayName;’ID’=$GPO.ID;’Status’=$status}
} #end of foreach ($GPO in $GPOs)
} #end of if ($GPOs)
}

Test-GPOAuthenticatedUsers | Export-Csv -path c:\temp\gpoauthusersissues.csv -NoTypeInformation
IT_Admin XXXXAsked:
Who is Participating?
 
footechConnect With a Mentor Commented:
Try adding the -domain parameter to the Get-GPPermissions command.
1
 
footechCommented:
Besides the use of "pretty" quotes (double and single), I don't see anything wrong.

Can you describe further your incorrect results?
0
 
IT_Admin XXXXAuthor Commented:
I just get inaccurate results when I call the other domains (not the domain that I'm logged into)
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Senior IT System EngineerIT ProfessionalCommented:
Hi IT_Admin XXXX,

Does your script above does something to the registry or just report and get some information then dumps to .CSV ?
0
 
footechCommented:
It doesn't change anything, just grabs info.
1
 
Senior IT System EngineerIT ProfessionalCommented:
@Footech: Thanks for the clarification.

@Hi IT_Admin XXXX,

So did you apply the Authenticated Users - Read permission manually for all the GPO in the script result the after applying the patch below ?

Security Update for Windows Server 2012 R2 (KB3159398)
More information: http://support.microsoft.com/kb/3159398

Or after applying the patch ?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.