Solved

Check GPOs ACL Ensure it Has Authenticated Users - Read

Posted on 2016-08-10
6
43 Views
Last Modified: 2016-08-23
Hi, I am running the following to check and ensure all GPOs in our domain have authenticated users with read access and export it to a CSV. I am getting false results. Can someone please shed some light? Thank you!

Function Test-GPOAuthenticatedUsers{
#Load GPO module
Import-Module GroupPolicy

#Get all GPOs in current domain
$GPOs = Get-GPO -domain child.domain.com -all

#Check we have GPOs
if ($GPOs) {
#Loop through GPOs
foreach ($GPO in $GPOs) {
#Nullify $AuthUser
$AuthUser = $null

#See if we have an Auth Users perm
$AuthUser = Get-GPPermissions -Guid $GPO.Id -TargetName “Authenticated Users” -TargetType Group -ErrorAction SilentlyContinue

#Alert if we don’t have an ‘Authenticated Users’ permission
if (-not $AuthUser) {
$status = ‘Missing Authenticated Users Permission’
} #end of if (-not $AuthUser)
else {
#Alert on a custom permission
if ($AuthUser.Permission -eq “GpoCustom”) {
$Status = ‘Custom Authenticated Users Permission’
} #end of if (-not $AuthUser)
else{
$Status = $true
}
} #end of if (-not $AuthUser)
[pscustomobject]@{‘DisplayName’=$GPO.DisplayName;’ID’=$GPO.ID;’Status’=$status}
} #end of foreach ($GPO in $GPOs)
} #end of if ($GPOs)
}

Test-GPOAuthenticatedUsers | Export-Csv -path c:\temp\gpoauthusersissues.csv -NoTypeInformation
0
Comment
Question by:IT_Admin XXXX
  • 3
  • 2
6 Comments
 
LVL 39

Expert Comment

by:footech
ID: 41750933
Besides the use of "pretty" quotes (double and single), I don't see anything wrong.

Can you describe further your incorrect results?
0
 

Author Comment

by:IT_Admin XXXX
ID: 41751004
I just get inaccurate results when I call the other domains (not the domain that I'm logged into)
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 41751025
Try adding the -domain parameter to the Get-GPPermissions command.
1
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 41754527
Hi IT_Admin XXXX,

Does your script above does something to the registry or just report and get some information then dumps to .CSV ?
0
 
LVL 39

Expert Comment

by:footech
ID: 41755072
It doesn't change anything, just grabs info.
1
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 41766490
@Footech: Thanks for the clarification.

@Hi IT_Admin XXXX,

So did you apply the Authenticated Users - Read permission manually for all the GPO in the script result the after applying the patch below ?

Security Update for Windows Server 2012 R2 (KB3159398)
More information: http://support.microsoft.com/kb/3159398

Or after applying the patch ?
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a PowerShell web interface I use to manage some task as a network administrator. Clicking an action button on the left frame will display a form in the middle frame to input some data in textboxes, process this data in PowerShell and display…
A procedure for exporting installed hotfix details of remote computers using powershell
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question