Link to home
Start Free TrialLog in
Avatar of JamesonJendreas
JamesonJendreas

asked on

PowerShell to Audit GPO's

I have recently taken ownership of an AD domain.  The domain had previously been managed by numerous people, all with differing approaches, resulting in extremely varied GPO application across the domain.  Each server is in it's own OU.  Some have GPO's applied, some do not.  I am currently only worried about servers (mainly 2008 but I digress).  I also have System Center configured (which I plan to use in this process).

I created a Powershell script to create an HTML GPO report.   My issue - I am using the Get-GPResultantSetOf cmdlet to gather GPResults.  This will fail if the user account I am running the script under has not ran a "gpresult /r" from that server.  As I am a new admin, I have certainly not done this (and I would like fresh data).

So I added the line:

Invoke-Command -ScriptBlock {GPResult /r} -ComputerName $Computer

But this seems to fail due to... security policies (applied by the  very GPO's I am trying to audit!).  Here's the error:


PS WNP:\> WC-GPAudit -CollectionName WC-test
[SERVERNAME] Connecting to remote server SERVERNAME failed with the following error message : WinRM cannot complete the operation. Verify that the specified 
computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this 
computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the 
about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (SERVERNAME:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionStateBroken

Open in new window




And the PowerShell Script:
function WC-GPAudit{
Param (          
            [Parameter(Mandatory=$False)]
            [String]$CollectionName,

            [Parameter(Mandatory=$False)]
            [String[]]$ComputerName
)

Import-Module GroupPolicy

If ((![string]::IsNullOrEmpty($CollectionName)) -and ([string]::IsNullOrEmpty($ComputerName))) {

    Import-Module ((Split-Path $env:SMS_ADMIN_UI_PATH)+"\ConfigurationManager.psd1")
    Set-Location -Path WNP:
    $CollectionID = Get-CMDeviceCollection -Name $CollectionName | Select CollectionID
    $ComputerList = (Get-CMDevice -CollectionId $CollectionID.CollectionID).Name

}

If ((![string]::IsNullOrEmpty($ComputerName)) -and ([string]::IsNullOrEmpty($CollectionName)))  {

    $ComputerList = $ComputerName

}

ForEach ($Computer in $ComputerList){
    Invoke-Command -ScriptBlock {GPResult /r} -ComputerName $Computer 
    Get-GPResultantSetOfPolicy -Path c:\Temp\Report\$Computer.html -ReportType HTML -Computer $Computer
    }
}

Open in new window



Any ideas of how I could get the RSoP?
ASKER CERTIFIED SOLUTION
Avatar of Adam Brown
Adam Brown
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of JamesonJendreas
JamesonJendreas

ASKER

Thank You Adam - That was my assumption.  I am opting out of running the WinRM config for now.  Once I have an idea of how my GPO's are spread, then I will addressing WinRM from a OU/GPO

I have a workaround  I will be importing all my servers into Remote Desktop Connection Manager (in large groups), and use the "Connection Settings" and use "Start Program" gpresult.exe /r.  This will allow me to bulk-login (using the Connect Group and Disconnect group) and auto-populate the GP info.  Then i will run the script without the invoke-command line.

Cheers
JJ