Solved

PowerShell to Audit GPO's

Posted on 2016-10-25
2
51 Views
Last Modified: 2016-10-25
I have recently taken ownership of an AD domain.  The domain had previously been managed by numerous people, all with differing approaches, resulting in extremely varied GPO application across the domain.  Each server is in it's own OU.  Some have GPO's applied, some do not.  I am currently only worried about servers (mainly 2008 but I digress).  I also have System Center configured (which I plan to use in this process).

I created a Powershell script to create an HTML GPO report.   My issue - I am using the Get-GPResultantSetOf cmdlet to gather GPResults.  This will fail if the user account I am running the script under has not ran a "gpresult /r" from that server.  As I am a new admin, I have certainly not done this (and I would like fresh data).

So I added the line:

Invoke-Command -ScriptBlock {GPResult /r} -ComputerName $Computer

But this seems to fail due to... security policies (applied by the  very GPO's I am trying to audit!).  Here's the error:


PS WNP:\> WC-GPAudit -CollectionName WC-test
[SERVERNAME] Connecting to remote server SERVERNAME failed with the following error message : WinRM cannot complete the operation. Verify that the specified 
computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this 
computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the 
about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (SERVERNAME:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionStateBroken

Open in new window




And the PowerShell Script:
function WC-GPAudit{
Param (          
            [Parameter(Mandatory=$False)]
            [String]$CollectionName,

            [Parameter(Mandatory=$False)]
            [String[]]$ComputerName
)

Import-Module GroupPolicy

If ((![string]::IsNullOrEmpty($CollectionName)) -and ([string]::IsNullOrEmpty($ComputerName))) {

    Import-Module ((Split-Path $env:SMS_ADMIN_UI_PATH)+"\ConfigurationManager.psd1")
    Set-Location -Path WNP:
    $CollectionID = Get-CMDeviceCollection -Name $CollectionName | Select CollectionID
    $ComputerList = (Get-CMDevice -CollectionId $CollectionID.CollectionID).Name

}

If ((![string]::IsNullOrEmpty($ComputerName)) -and ([string]::IsNullOrEmpty($CollectionName)))  {

    $ComputerList = $ComputerName

}

ForEach ($Computer in $ComputerList){
    Invoke-Command -ScriptBlock {GPResult /r} -ComputerName $Computer 
    Get-GPResultantSetOfPolicy -Path c:\Temp\Report\$Computer.html -ReportType HTML -Computer $Computer
    }
}

Open in new window



Any ideas of how I could get the RSoP?
0
Comment
Question by:JamesonJendreas
2 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
Comment Utility
There are a couple different potential causes for the error.
1. Script execution on the servers is prohibiting the execution of the invoke-command cmdlet against that server. You can determine if this is the cause by running enter-pssession <servername>
If it lets you access the remote server's powershell session when you do that, then the execution policy is blocking you and you'll need to change the configuration to allow remote script execution.
2. WinRM isn't configured on the servers. If you attempt the enter-possession cmdlet and it fails to connect, this is the most likely cause. Running winrmquickconfig on each of the servers will resolve this. WinRM is *not* enabled by default, so it's very likely that no one enabled it in the first place. You can do this with a group policy as well, but it sounds like you're trying to avoid that :D
0
 
LVL 1

Author Comment

by:JamesonJendreas
Comment Utility
Thank You Adam - That was my assumption.  I am opting out of running the WinRM config for now.  Once I have an idea of how my GPO's are spread, then I will addressing WinRM from a OU/GPO

I have a workaround  I will be importing all my servers into Remote Desktop Connection Manager (in large groups), and use the "Connection Settings" and use "Start Program" gpresult.exe /r.  This will allow me to bulk-login (using the Connect Group and Disconnect group) and auto-populate the GP info.  Then i will run the script without the invoke-command line.

Cheers
JJ
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now