Solved

PowerShell to Audit GPO's

Posted on 2016-10-25
2
218 Views
Last Modified: 2016-10-25
I have recently taken ownership of an AD domain.  The domain had previously been managed by numerous people, all with differing approaches, resulting in extremely varied GPO application across the domain.  Each server is in it's own OU.  Some have GPO's applied, some do not.  I am currently only worried about servers (mainly 2008 but I digress).  I also have System Center configured (which I plan to use in this process).

I created a Powershell script to create an HTML GPO report.   My issue - I am using the Get-GPResultantSetOf cmdlet to gather GPResults.  This will fail if the user account I am running the script under has not ran a "gpresult /r" from that server.  As I am a new admin, I have certainly not done this (and I would like fresh data).

So I added the line:

Invoke-Command -ScriptBlock {GPResult /r} -ComputerName $Computer

But this seems to fail due to... security policies (applied by the  very GPO's I am trying to audit!).  Here's the error:


PS WNP:\> WC-GPAudit -CollectionName WC-test
[SERVERNAME] Connecting to remote server SERVERNAME failed with the following error message : WinRM cannot complete the operation. Verify that the specified 
computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this 
computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the 
about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (SERVERNAME:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionStateBroken

Open in new window




And the PowerShell Script:
function WC-GPAudit{
Param (          
            [Parameter(Mandatory=$False)]
            [String]$CollectionName,

            [Parameter(Mandatory=$False)]
            [String[]]$ComputerName
)

Import-Module GroupPolicy

If ((![string]::IsNullOrEmpty($CollectionName)) -and ([string]::IsNullOrEmpty($ComputerName))) {

    Import-Module ((Split-Path $env:SMS_ADMIN_UI_PATH)+"\ConfigurationManager.psd1")
    Set-Location -Path WNP:
    $CollectionID = Get-CMDeviceCollection -Name $CollectionName | Select CollectionID
    $ComputerList = (Get-CMDevice -CollectionId $CollectionID.CollectionID).Name

}

If ((![string]::IsNullOrEmpty($ComputerName)) -and ([string]::IsNullOrEmpty($CollectionName)))  {

    $ComputerList = $ComputerName

}

ForEach ($Computer in $ComputerList){
    Invoke-Command -ScriptBlock {GPResult /r} -ComputerName $Computer 
    Get-GPResultantSetOfPolicy -Path c:\Temp\Report\$Computer.html -ReportType HTML -Computer $Computer
    }
}

Open in new window



Any ideas of how I could get the RSoP?
0
Comment
Question by:JamesonJendreas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41859058
There are a couple different potential causes for the error.
1. Script execution on the servers is prohibiting the execution of the invoke-command cmdlet against that server. You can determine if this is the cause by running enter-pssession <servername>
If it lets you access the remote server's powershell session when you do that, then the execution policy is blocking you and you'll need to change the configuration to allow remote script execution.
2. WinRM isn't configured on the servers. If you attempt the enter-possession cmdlet and it fails to connect, this is the most likely cause. Running winrmquickconfig on each of the servers will resolve this. WinRM is *not* enabled by default, so it's very likely that no one enabled it in the first place. You can do this with a group policy as well, but it sounds like you're trying to avoid that :D
0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 41859399
Thank You Adam - That was my assumption.  I am opting out of running the WinRM config for now.  Once I have an idea of how my GPO's are spread, then I will addressing WinRM from a OU/GPO

I have a workaround  I will be importing all my servers into Remote Desktop Connection Manager (in large groups), and use the "Connection Settings" and use "Start Program" gpresult.exe /r.  This will allow me to bulk-login (using the Connect Group and Disconnect group) and auto-populate the GP info.  Then i will run the script without the invoke-command line.

Cheers
JJ
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question