I manage an Active Directory environment that’s over ten years old and has undergone a number of upgrades and transitions. Yesterday I found myself trying to clean up some groups that didn’t appear to be used for anything anymore, but I wanted to make sure I wasn’t missing anything. One task I needed to accomplish for this was to make sure there were no active GPOs applying to those AD groups.
The cool thing is, PowerShell makes that task pretty darn easy! I whipped up the function below (which relies on the Microsoft GroupPolicy cmdlets) and was able to find exactly the information I was looking for.
function Get-GroupPoliciesByGroup { param( [Parameter(Mandatory=$true)] [Alias("Name")] [string]$GroupName, [string]$Domain ) if ((Get-Command Get-GPO -ErrorAction SilentlyContinue) -eq $null) { Import-Module GroupPolicy } if ($Domain -eq $null -or $Domain -eq '') { $Domain = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name) } $gpos = Get-GPO -All -Domain $Domain foreach ($gpo in $gpos) { $secinfo = $gpo.GetSecurityInfo() | where { $_.Permission -eq "GpoApply" } foreach ($sec in $secinfo) { if ($sec.Trustee.Name -eq $GroupName) { Out-Default -InputObject $gpo } } } }
As you can see, it’s possible to pass this function a specific domain if desired. There are plenty of other ways to extend the function’s behavior as well, but the code above was enough to get me what I needed to know.
Recent Comments