Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Check GPOs ACL Ensure it Has Authenticated Users - Read

Posted on 2016-08-10
6
Medium Priority
?
63 Views
Last Modified: 2016-08-23
Hi, I am running the following to check and ensure all GPOs in our domain have authenticated users with read access and export it to a CSV. I am getting false results. Can someone please shed some light? Thank you!

Function Test-GPOAuthenticatedUsers{
#Load GPO module
Import-Module GroupPolicy

#Get all GPOs in current domain
$GPOs = Get-GPO -domain child.domain.com -all

#Check we have GPOs
if ($GPOs) {
#Loop through GPOs
foreach ($GPO in $GPOs) {
#Nullify $AuthUser
$AuthUser = $null

#See if we have an Auth Users perm
$AuthUser = Get-GPPermissions -Guid $GPO.Id -TargetName “Authenticated Users” -TargetType Group -ErrorAction SilentlyContinue

#Alert if we don’t have an ‘Authenticated Users’ permission
if (-not $AuthUser) {
$status = ‘Missing Authenticated Users Permission’
} #end of if (-not $AuthUser)
else {
#Alert on a custom permission
if ($AuthUser.Permission -eq “GpoCustom”) {
$Status = ‘Custom Authenticated Users Permission’
} #end of if (-not $AuthUser)
else{
$Status = $true
}
} #end of if (-not $AuthUser)
[pscustomobject]@{‘DisplayName’=$GPO.DisplayName;’ID’=$GPO.ID;’Status’=$status}
} #end of foreach ($GPO in $GPOs)
} #end of if ($GPOs)
}

Test-GPOAuthenticatedUsers | Export-Csv -path c:\temp\gpoauthusersissues.csv -NoTypeInformation
0
Comment
Question by:IT_Admin XXXX
  • 3
  • 2
6 Comments
 
LVL 41

Expert Comment

by:footech
ID: 41750933
Besides the use of "pretty" quotes (double and single), I don't see anything wrong.

Can you describe further your incorrect results?
0
 

Author Comment

by:IT_Admin XXXX
ID: 41751004
I just get inaccurate results when I call the other domains (not the domain that I'm logged into)
0
 
LVL 41

Accepted Solution

by:
footech earned 2000 total points
ID: 41751025
Try adding the -domain parameter to the Get-GPPermissions command.
1
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 8

Expert Comment

by:Senior IT System Engineer
ID: 41754527
Hi IT_Admin XXXX,

Does your script above does something to the registry or just report and get some information then dumps to .CSV ?
0
 
LVL 41

Expert Comment

by:footech
ID: 41755072
It doesn't change anything, just grabs info.
1
 
LVL 8

Expert Comment

by:Senior IT System Engineer
ID: 41766490
@Footech: Thanks for the clarification.

@Hi IT_Admin XXXX,

So did you apply the Authenticated Users - Read permission manually for all the GPO in the script result the after applying the patch below ?

Security Update for Windows Server 2012 R2 (KB3159398)
More information: http://support.microsoft.com/kb/3159398

Or after applying the patch ?
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Loops Section Overview
Screencast - Getting to Know the Pipeline

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question