Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PowerShell to Audit GPO's

Posted on 2016-10-25
2
Medium Priority
?
280 Views
Last Modified: 2016-10-25
I have recently taken ownership of an AD domain.  The domain had previously been managed by numerous people, all with differing approaches, resulting in extremely varied GPO application across the domain.  Each server is in it's own OU.  Some have GPO's applied, some do not.  I am currently only worried about servers (mainly 2008 but I digress).  I also have System Center configured (which I plan to use in this process).

I created a Powershell script to create an HTML GPO report.   My issue - I am using the Get-GPResultantSetOf cmdlet to gather GPResults.  This will fail if the user account I am running the script under has not ran a "gpresult /r" from that server.  As I am a new admin, I have certainly not done this (and I would like fresh data).

So I added the line:

Invoke-Command -ScriptBlock {GPResult /r} -ComputerName $Computer

But this seems to fail due to... security policies (applied by the  very GPO's I am trying to audit!).  Here's the error:


PS WNP:\> WC-GPAudit -CollectionName WC-test
[SERVERNAME] Connecting to remote server SERVERNAME failed with the following error message : WinRM cannot complete the operation. Verify that the specified 
computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this 
computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the 
about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (SERVERNAME:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionStateBroken

Open in new window




And the PowerShell Script:
function WC-GPAudit{
Param (          
            [Parameter(Mandatory=$False)]
            [String]$CollectionName,

            [Parameter(Mandatory=$False)]
            [String[]]$ComputerName
)

Import-Module GroupPolicy

If ((![string]::IsNullOrEmpty($CollectionName)) -and ([string]::IsNullOrEmpty($ComputerName))) {

    Import-Module ((Split-Path $env:SMS_ADMIN_UI_PATH)+"\ConfigurationManager.psd1")
    Set-Location -Path WNP:
    $CollectionID = Get-CMDeviceCollection -Name $CollectionName | Select CollectionID
    $ComputerList = (Get-CMDevice -CollectionId $CollectionID.CollectionID).Name

}

If ((![string]::IsNullOrEmpty($ComputerName)) -and ([string]::IsNullOrEmpty($CollectionName)))  {

    $ComputerList = $ComputerName

}

ForEach ($Computer in $ComputerList){
    Invoke-Command -ScriptBlock {GPResult /r} -ComputerName $Computer 
    Get-GPResultantSetOfPolicy -Path c:\Temp\Report\$Computer.html -ReportType HTML -Computer $Computer
    }
}

Open in new window



Any ideas of how I could get the RSoP?
0
Comment
Question by:JamesonJendreas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41859058
There are a couple different potential causes for the error.
1. Script execution on the servers is prohibiting the execution of the invoke-command cmdlet against that server. You can determine if this is the cause by running enter-pssession <servername>
If it lets you access the remote server's powershell session when you do that, then the execution policy is blocking you and you'll need to change the configuration to allow remote script execution.
2. WinRM isn't configured on the servers. If you attempt the enter-possession cmdlet and it fails to connect, this is the most likely cause. Running winrmquickconfig on each of the servers will resolve this. WinRM is *not* enabled by default, so it's very likely that no one enabled it in the first place. You can do this with a group policy as well, but it sounds like you're trying to avoid that :D
0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 41859399
Thank You Adam - That was my assumption.  I am opting out of running the WinRM config for now.  Once I have an idea of how my GPO's are spread, then I will addressing WinRM from a OU/GPO

I have a workaround  I will be importing all my servers into Remote Desktop Connection Manager (in large groups), and use the "Connection Settings" and use "Start Program" gpresult.exe /r.  This will allow me to bulk-login (using the Connect Group and Disconnect group) and auto-populate the GP info.  Then i will run the script without the invoke-command line.

Cheers
JJ
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question