Forked from OmerMicrosoft/Get-GPMissingPermissionsGPOs.ps1
Last active
January 2, 2019 01:22
-
-
Save jhochwald/1abc51589cf5c3c551a8af22c17d9f65 to your computer and use it in GitHub Desktop.
Find Group Policies with Missing Permissions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-GPMissingPermissionsGPOs | |
{ | |
<# | |
.SYNOPSIS | |
Find Group Policy Objects with missing permissions | |
.DESCRIPTION | |
Find Group Policy Objects do not grant any permissions to the 'Authenticated Users' or 'Domain Computers' groups | |
.EXAMPLE | |
PS C:\> Get-GPMissingPermissionsGPOs | |
.NOTES | |
Reworked and tweaked function by Omer (Microsoft Premier Field Engineer) | |
.LINK | |
https://blogs.technet.microsoft.com/meamcs/2018/12/31/most-common-mistakes-in-active-directory-and-domain-services-part-1/ | |
.LINK | |
https://gist.github.com/OmerMicrosoft/4eda2010c5810dc0e54225cc400211fd | |
#> | |
[CmdletBinding(ConfirmImpact = 'None')] | |
[OutputType([string])] | |
param () | |
begin | |
{ | |
# Define some defaults | |
$SC = 'SilentlyContinue' | |
$STP = 'Stop' | |
# Create a new Object for a possible list of crappy Group Policies | |
$MissingPermissionsGPOArray = (New-Object -TypeName System.Collections.ArrayList) | |
try | |
{ | |
# Splat the parameters to get all Group Policies | |
$paramGetGPO = @{ | |
All = $true | |
ErrorAction = $STP | |
WarningAction = $SC | |
} | |
$GPOs = (Get-GPO @paramGetGPO) | |
} | |
catch | |
{ | |
Write-Error -Message 'Unable to get Group Policies' -ErrorAction $STP | |
break | |
} | |
} | |
process | |
{ | |
foreach ($GPO in $GPOs) | |
{ | |
# Splat for reuse | |
$paramGetGPPermission = @{ | |
Guid = $GPO.Id | |
All = $true | |
ErrorAction = $STP | |
WarningAction = $SC | |
} | |
if ($GPO.User.Enabled) | |
{ | |
try | |
{ | |
$GPOPermissionForAuthUsers = (Get-GPPermission @paramGetGPPermission | Select-Object -ExpandProperty Trustee | Where-Object -FilterScript { | |
$_.Name -eq 'Authenticated Users' | |
}) | |
} | |
catch | |
{ | |
Write-Warning -Message 'Unable to check Group Policy for Users Permission' | |
} | |
try | |
{ | |
$GPOPermissionForDomainComputers = (Get-GPPermission @paramGetGPPermission | Select-Object -ExpandProperty Trustee | Where-Object -FilterScript { | |
$_.Name -eq 'Domain Computers' | |
}) | |
} | |
catch | |
{ | |
Write-Warning -Message 'Unable to check Group Policy for Computers Permission' | |
} | |
if ((-not $GPOPermissionForAuthUsers) -and (-not $GPOPermissionForDomainComputers)) | |
{ | |
$null = $MissingPermissionsGPOArray.Add($GPO) | |
} | |
} | |
} | |
if ($MissingPermissionsGPOArray.Count -ne 0) | |
{ | |
foreach ($GPOWithMissingPermissions in $MissingPermissionsGPOArray) | |
{ | |
# Assign to temp variable (just for the output) | |
$GPOObject = $GPOWithMissingPermissions.DisplayName | |
Write-Warning -Message ("The Group Policy {0} do not grant any permissions to the 'Authenticated Users' or 'Domain Computers' groups" -f $GPOObject) | |
# Cleanup | |
$GPOObject = $null | |
} | |
} | |
else | |
{ | |
Write-Output -InputObject 'All Group Policy Objects grant required permissions. No issues were found.' | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Reworked and tweaked function based on the function by @OmerMicrosoft (Microsoft Premier Field Engineer)
I like the basic idea, and the tweaks are just to keep the code consistent with my other stuff.