Solved

PowerShell to Audit GPO's

Posted on 2016-10-25
2
135 Views
Last Modified: 2016-10-25
I have recently taken ownership of an AD domain.  The domain had previously been managed by numerous people, all with differing approaches, resulting in extremely varied GPO application across the domain.  Each server is in it's own OU.  Some have GPO's applied, some do not.  I am currently only worried about servers (mainly 2008 but I digress).  I also have System Center configured (which I plan to use in this process).

I created a Powershell script to create an HTML GPO report.   My issue - I am using the Get-GPResultantSetOf cmdlet to gather GPResults.  This will fail if the user account I am running the script under has not ran a "gpresult /r" from that server.  As I am a new admin, I have certainly not done this (and I would like fresh data).

So I added the line:

Invoke-Command -ScriptBlock {GPResult /r} -ComputerName $Computer

But this seems to fail due to... security policies (applied by the  very GPO's I am trying to audit!).  Here's the error:


PS WNP:\> WC-GPAudit -CollectionName WC-test
[SERVERNAME] Connecting to remote server SERVERNAME failed with the following error message : WinRM cannot complete the operation. Verify that the specified 
computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this 
computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the 
about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (SERVERNAME:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionStateBroken

Open in new window




And the PowerShell Script:
function WC-GPAudit{
Param (          
            [Parameter(Mandatory=$False)]
            [String]$CollectionName,

            [Parameter(Mandatory=$False)]
            [String[]]$ComputerName
)

Import-Module GroupPolicy

If ((![string]::IsNullOrEmpty($CollectionName)) -and ([string]::IsNullOrEmpty($ComputerName))) {

    Import-Module ((Split-Path $env:SMS_ADMIN_UI_PATH)+"\ConfigurationManager.psd1")
    Set-Location -Path WNP:
    $CollectionID = Get-CMDeviceCollection -Name $CollectionName | Select CollectionID
    $ComputerList = (Get-CMDevice -CollectionId $CollectionID.CollectionID).Name

}

If ((![string]::IsNullOrEmpty($ComputerName)) -and ([string]::IsNullOrEmpty($CollectionName)))  {

    $ComputerList = $ComputerName

}

ForEach ($Computer in $ComputerList){
    Invoke-Command -ScriptBlock {GPResult /r} -ComputerName $Computer 
    Get-GPResultantSetOfPolicy -Path c:\Temp\Report\$Computer.html -ReportType HTML -Computer $Computer
    }
}

Open in new window



Any ideas of how I could get the RSoP?
0
Comment
Question by:JamesonJendreas
2 Comments
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41859058
There are a couple different potential causes for the error.
1. Script execution on the servers is prohibiting the execution of the invoke-command cmdlet against that server. You can determine if this is the cause by running enter-pssession <servername>
If it lets you access the remote server's powershell session when you do that, then the execution policy is blocking you and you'll need to change the configuration to allow remote script execution.
2. WinRM isn't configured on the servers. If you attempt the enter-possession cmdlet and it fails to connect, this is the most likely cause. Running winrmquickconfig on each of the servers will resolve this. WinRM is *not* enabled by default, so it's very likely that no one enabled it in the first place. You can do this with a group policy as well, but it sounds like you're trying to avoid that :D
0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 41859399
Thank You Adam - That was my assumption.  I am opting out of running the WinRM config for now.  Once I have an idea of how my GPO's are spread, then I will addressing WinRM from a OU/GPO

I have a workaround  I will be importing all my servers into Remote Desktop Connection Manager (in large groups), and use the "Connection Settings" and use "Start Program" gpresult.exe /r.  This will allow me to bulk-login (using the Connect Group and Disconnect group) and auto-populate the GP info.  Then i will run the script without the invoke-command line.

Cheers
JJ
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server 2012 r2 licensing CALs 3 57
Opening a new tab in IE using Powershell / HTML 2 21
powershell variable inside quotes 5 21
Invoke command powershell 4 27
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question