大中型企业中,会设置许多组策略进行日常运维管理 ,毕然里面也存在许多废弃的策略,需要我们定期清理我们的组策略信息。通常我们导出HTML报告方式来帮助我们分析组策略信息:
#1
首先需要加载GroupPolicy模块:
1
|
Import-Module
GroupPolicy
|
将GPO导出为一个HTML报告:
1
|
Get-GPOReport
-All -ReportType html -Path C:\GPOReports\GposReport.html
|
#2
将每个GPO导出生成自己的HTML报告中:
1
2
3
|
Get-GPO
-All | %{
Get-GPOReport
-name
$_
.displayname -ReportType html -path (
"c:\GPOReports\"
+
$_
.displayname+
".html"
)
}
|
#3
让我们查询所有设置被禁用的GPO策略:
1
2
3
4
5
|
$reportFile
=
"c:\GPOReports\AllSettingsDisabledGpos.csv"
Set-Content
-Path
$reportFile
-Value (
"GPO Name,Settings"
)
Get-GPO
-All | where{
$_
.GpoStatus
-eq
"AllSettingsDisabled"
} | % {
add-Content
-Path
$reportFile
-Value (
$_
.displayName+
","
+
$_
.gpoStatus)
}
|
#4
查询没有应用到任何用户的Gpo策略
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
$reportFile
=
"c:\GPOReports\GPOApplyToPermissions.csv"
Set-Content
-Path
$reportFile
-Value (
"GPO Name,User/Group,Denied"
)
Get-GPO
-All | %{
$gpoName
=
$_
.displayName
[int]
$counter
= 0
$security
=
$_
.GetSecurityInfo()
$security
| where{
$_
.Permission
-eq
"GpoApply"
} | %{
add-Content
-Path
$reportFile
-Value (
$gpoName
+
","
+
$_
.trustee.name+
","
+
$_
.denied)
$counter
+= 1
}
if
(
$counter
-eq
0)
{
add-Content
-Path
$reportFile
-Value (
$gpoName
+
",NOT APPLIED"
)
}
}
|
#4
获取GPO,链接和WMI过滤器:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
$reportFile
=
"c:\GPOReports\GPOLinksAndWMIFilters.csv"
Set-Content
-Path
$reportFile
-Value (
"GPO Name,# Links,Link Path,Enabled,No Override,WMI Filter"
)
$gpmc
=
New-Object
-ComObject GPMgmt.GPM
$constants
=
$gpmc
.GetConstants()
Get-GPO
-All | %{
[int]
$counter
= 0
[xml]
$report
=
$_
.GenerateReport(
$constants
.ReportXML)
try
{
$wmiFilterName
=
$report
.gpo.filtername
}
catch
{
$wmiFilterName
=
"none"
}
$report
.GPO.LinksTo | % {
if
(
$_
.SOMPath
-ne
$null
)
{
$counter
+= 1
add-Content
-Path
$reportFile
-Value (
$report
.GPO.Name +
","
+
$report
.GPO.linksto.Count +
","
+
$_
.SOMPath +
","
+
$_
.Enabled +
","
+
$_
.NoOverride +
","
+
$wmiFilterName
)
}
}
if
(
$counter
-eq
0)
{
add-Content
-Path
$reportFile
-Value (
$report
.GPO.Name +
","
+
$counter
+
","
+
"NO LINKS"
+
","
+
"NO LINKS"
+
","
+
"NO LINKS"
)
}
}
|
#5
查询具有阻止GPO继承的组织单位:
1
2
3
4
5
6
|
Import-Module
ActiveDirectory
$reportFile
=
"c:\GPOReports\OUsWithBlockInharit.csv"
set-Content
-Path
$reportFile
-Value (
"Block Inharitance OU Path"
)
Get-ADOrganizationalUnit
-SearchBase
"DC=Your,DC=Domain"
-
Filter
* |
Get-GPInheritance
|
Where-Object
{
$_
.GPOInheritanceBlocked } | %{
add-Content
-Path
$reportFile
-Value (
$_
.path)
}
|
本文转自惊艳了青春 51CTO博客,原文链接:http://blog.51cto.com/djclouds/2089006
,如需转载请自行联系原作者