EvotecIT / GPOZaurr
- среда, 27 января 2021 г. в 00:27:38
https://github.com/EvotecIT/GPOZaurr
PowerShell
Group Policy Eater is a PowerShell module that aims to gather information about Group Policies but also allows fixing issues that you may find in them.
GPOZaurr
Table of Contents
Installing
GPOZaurr requires RSAT installed to provide results. If you don't have them you can install them as below. Keep in mind it also installs GUI tools so it shouldn't be installed on user workstations.
# Windows 10 Latest
Add-WindowsCapability -Online -Name 'Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'
Add-WindowsCapability -Online -Name 'Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0'Finally just install module:
Install-Module -Name GPOZaurr -AllowClobber -ForceForce and AllowClobber aren't necessary, but they do skip errors in case some appear.
Updating
Update-Module -Name GPOZaurrThat's it. Whenever there's a new version, you run the command, and you can enjoy it. Remember that you may need to close, reopen PowerShell session if you have already used module before updating it.
The essential thing is if something works for you on production, keep using it till you test the new version on a test computer. I do changes that may not be big, but big enough that auto-update may break your code. For example, small rename to a parameter and your code stops working! Be responsible!
Resources
To understand the usage I've created blog post you may find useful
Changelog
- 0.0.113 - 2021.01.25
- Improved
Invoke-GPOZaurr- Report GPOAnalysis - added WindowsTimeService
- Improved
Invoke-GPOZaurrContent- Added
WindowsTimeServicetype
- Added
- Improved
- 0.0.112 - 2021.01.25
- Improved
Invoke-GPOZaurr
- Improved
- 0.0.111 - 2021.01.24
- Improved
Invoke-GPOZaurr
- Improved
- 0.0.110 - 2021.01.22
- Improved
Invoke-GPOZaurr
- Improved
- 0.0.109 - 2021.01.11
- Improved
Invoke-GPOZaurr
- Improved
- 0.0.108 - 2021.01.11
- Improved
Invoke-GPOZaurr- Improved
GPOConsistency
- Improved
- Improved
- 0.0.107 - 2021.01.11
- Improved
Invoke-GPOZaurr
- Improved
- 0.0.106 - 2021.01.11
- Improved
Invoke-GPOZaurrContent
- Improved
- 0.0.105 - 2021.01.05
- Improved
Get-GPOZaurr- Improved report
GPOBrokenLink
- Improved report
- Improved
- 0.0.104 - 2021.01.04
- Improved
Get-GPOZaurrBrokenLink - Improved
Repair-GPOZaurrBrokenLink - Improved
Get-GPOZaurr- Improved report
GPOBrokenLink
- Improved report
- Improved
- 0.0.103 - 2021.01.04
- Improved
Get-GPOZaurr- Added new report
GPOBrokenLink
- Added new report
- Added
Get-GPOZaurrBrokenLink - Added
Repair-GPOZaurrBrokenLink
- Improved
- 0.0.102 - 2021.01.02
- Improved
Get-GPOZaurrLink- Supports all links across forest
- Renamed Linked validate set from
OthertoOrganizationalUnit
- Improved
Get-GPOZaurrLinkSummary - Improved/BugFix
Get-GPOZaurrto properly detect linked GPOs in sites/cross-domain - Improved
Invoke-GPOZaurrPermission- Renamed Linked validate set from
OthertoOrganizationalUnit
- Renamed Linked validate set from
- Improved
Invoke-GPOZaurr- Added
GPOLinksbasic list
- Added
- Improved
- 0.0.101 - 23.12.2020
- Improved
Get-GPOZaurrBroken- It now detects
ObjectClass Issue - Heavily improved performance
- Removed some useless properties for this particular cmdlet
- All states:
Not available on SYSVOL,Not available in AD,Exists,Permissions Issue,ObjectClass Issue - Improved help
- It now detects
- Improved
Remove-GPOZaurrBroken- It now deals with
ObjectClass Issue - Heavily improved performance
- Removed some useless properties for this particular cmdlet
- Now requires manual type insert AD, SYSVOL or ObjectClass (or all of them). Before it was auto using AD/SYSVOL.
- Improved help
- It now deals with
- Improved
Invoke-GPOZaurr- Type
GPOList - Renamed
GPOOrphanstoGPOBroken - Improved
GPOBrokenwithObjectClass issue
- Type
- Improved
- 0.0.100 - 21.12.2020
- Improved
Invoke-GPOZaurr- Type
GPOPermissionsRead - Type
GPOPermissions
- Type
- Improved
- 0.0.99 - 13.12.2020
- Improved
Invoke-GPOZaurr- Type
GPOList- require GPO to be 7 days old for deletion to be proposed - Type
GPOPermissions- one stop for permissions - Allows Steps to be chosen via their menu and out-of-order
- Type
- Improved
Remove-GPOZaurr- addedRequireDaysparameter to prevent deletion of just modified GPOs - Added
Get-GPOZaurrPermissionAnalysis - Added
Repair-GPOZaurrPermission
- Improved
- 0.0.98 - 10.12.2020
- Improved
Invoke-GPOZaurr- Type
GPOList- fixed unexpected ending of cmdlet when error occurs (for example deleted GPO while script is running) which could impact results - Other types - small color adjustment
- Type
- Fixed/Improved
Get-GPOZaurr- fixed unexpected ending of cmdlet when error occurs (for example deleted GPO while script is running), improved code base - Improved
Invoke-GPOZaurrSupport
- Improved
- 0.0.97 - 07.12.2020
- Improved
Invoke-GPOZaurr- Type
GPOList- added more data, did small reorganization
- Type
- Improved
- 0.0.96 - 07.12.2020
- Improved
Invoke-GPOZaurr- Type
GPOList- added more data, added Optimization Step
- Type
- Added
Set-GPOZaurrStatus - Added
Optimize-GPOZaurr - Fixed
Invoke-GPOZaurrPermissionwhich would not remove permission due to internal changes earlier on - Small change to
Backup-GPOZaurr- Added support for
Disabled. It's now possbile to backupAll(default),Empty,Unlinked,Disabledor a mix of them - Removed useless
GPOPathparameter
- Added support for
- Improved
- 0.0.95 - 04.12.2020
- Fix for too big int - #4 - tnx neztach
- Improved
Invoke-GPOZaurr- Type
GPOList- added ability for Exclusions - All other types, small improvements
- Added HideSteps, ShowError, ShowWarning -> Disabled Warnings/Errors by default as they tend to show too much information
- Type
- Improved
Remove-GPOZaurr- added Exclusions
- 0.0.93 - 03.12.2020
- Improved
Invoke-GPOZaurr- Type
GPOListreverted charts colors for entries to match colors - Added
Skip-GroupPolicyto use withinInvoke-GPOZaurr
- Type
- Improved
Invoke-GPOZaurrwith basic support for Exclusions - Improved
Get-GPOZaurrwith basic support for Exclusions - Improved
Remove-GPOZaurrPermissionerror handling
- Improved
- 0.0.92 - 01.12.2020
- Improved
Invoke-GPOZaurrSupport - Improved
Invoke-GPOZaurr- Type
GPOListimproved with more data, more problems and clearer information
- Type
- Improved
Remove-GPOZaurr- Added ability do remove disabed GPO
- Improved
Get-GPOZaurrdetecting more issues, delivering more data
- Improved
- 0.0.91 - 24.11.2020
- Improves
Invoke-GPOZaurr(WIP)- Improve Type
GPOPermissionsUnknown
- Improve Type
- Improves
- 0.0.90 - 23.11.2020
- Improves
Invoke-GPOZaurr(WIP)- Improves Type
GPODuplicates- Fix for chart color to be RED
- Add Type
GPOPermissionsUnknown - Improves logic for Data with 0/1 element
- Improves Type
- Improves
Remove-GPOZaurrDuplicateObject- removedConfirmrequirement - Improves
Get-GPOZaurrNetLogonwith more verbose - Improves
Repair-GPOZaurrNetLogonOwnerwith more verbose and fix forLimitProcessing
- Improves
- 0.0.89 - 22.11.2020
- Small update
Add-GPOZaurrPermission - Improves
Invoke-GPOZaurr(WIP)- Added Type
GPOPermissionsAdministrative
- Added Type
- Small update
- 0.0.88 - 18.11.2020
- Fix for
Add-GPOZaurrPermission
- Fix for
- 0.0.87 - 18.11.2020
- Improve error handling
Remove-GPOZaurrBroken
- Improve error handling
- 0.0.86 - 18.11.2020
- Improve error handling
Remove-GPOZaurrBroken
- Improve error handling
- 0.0.85 - 17.11.2020
- Improves
Invoke-GPOZaurr(WIP)- Split
NetLogonPermissionsintoNetLogonPermissionsandNetLogonOwners - Improved type
NetLogonPermissions - Improved type
NetLogonOwners
- Split
- Improves
Get-GPOZaurrFiles - Improves
Get-GPOZaurrNetLogon - Fix for
Get-GPOZaurrNetLogon
- Improves
- 0.0.84 - 16.11.2020
- Improves
Invoke-GPOZaurr(WIP)- Type
NetLogonPermissions
- Type
- Fix for
Get-GPOZaurrNetLogon
- Improves
- 0.0.83 - 14.11.2020
- Improves
Invoke-GPOZaurr(WIP)- Fix for wrong ActionRequired count
- Improves
- 0.0.82 - 14.11.2020
- Added
Get-GPOZaurrPermissionIssueto detect permission issue with no rights - Improves
Invoke-GPOZaurr(WIP)- Type
GPOPermissionsReadimproved detection of problems with low permissions
- Type
- Added
- 0.0.81 - 12.11.2020
- Fix for
Set-GPOZaurrOwnerin case of missing permissions to not throw errors - Improves
Invoke-GPOZaurr(WIP)- Type
GPOPermissionsReadadded
- Type
- Fix for
- 0.0.80 - 12.11.2020
- Improves
Invoke-GPOZaurr(WIP)- Type
GPOOrphansclearer options, updated texts, split per domain - Type
GPOOwnersclearer options, updated texts, split per domain
- Type
- Improves
Add-GPOZaurrPermission- Fixes LimitProcessing to work correctly
- Added
Allto process all GPOs
- Fixes
Remove-GPOZaurrPermission - Improves
Set-GPOZaurrOwner- Added
Forceto forceGPO Ownerto any principal (normally only Domain Admins)
- Added
- Improves
- 0.0.79 - 10.11.2020
- Improved
Invoke-GPOZaurr- typeGPOOrphans
- Improved
- 0.0.78 - 10.11.2020
- Improved
Remove-GPOZaurrBrokenmore verbose - Improved
Get-GPOZaurrBrokenmore verbose - Improved
Invoke-GPOZaurr- typeGPOOrphans - Improved
Invoke-GPOZaurr- typeGPOList- needs more work - Improved
Get-GPOZaurrwith better detection of Empty Policies (needs testing)
- Improved
- 0.0.77 - 9.11.2020
- Improved
Invoke-GPOZaurr(WIP)
- Improved
- 0.0.76 - 8.11.2020
- Improved
Get-GPOZaurrNetLogonto better handle errors
- Improved
- 0.0.75 - 8.11.2020
- Improved
Get-GPOZaurrPermissionConsistencyto stop checking consistency if path doesn't exists
- Improved
- 0.0.74 - 8.11.2020
- Improved
Invoke-GPOZaurr(WIP)
- Improved
- 0.0.73 - 7.11.2020
- Improved
Invoke-GPOZaurr(WIP) - Improved
Get-GPOZaurr
- Improved
- 0.0.72 - 6.11.2020
- Improved
Invoke-GPOZaurr(WIP)
- Improved
- 0.0.71 - 3.11.2020
- Improved
Invoke-GPOZaurr(WIP)
- Improved
- 0.0.70 - 29.10.2020
- Added
Get-GPOZaurrDuplicateObject - Added
Remove-GPOZaurrDuplicateObject
- Added
- 0.0.69 - 29.10.2020
- Improved
Invoke-GPOZaurr(WIP) - Improved
Get-GPOZaurrNetLogon - Improved
Get-GPOZaurrOwner - Improved
Set-GPOZaurrOwner - Added
Repair-GPOZaurrNetLogonOwner - Improved
Invoke-GPOZaurr(WIP)
- Improved
- 0.0.68 - 28.10.2020
- Renamed
Show-GPOZaurrtoInvoke-GPOZaurr - Renamed
Invoke-GPOZaurrtoInvoke-GPOZaurrContent - Improvements to
Get-GPOZaurrPermissionConsistency- don't check for inherited permissions if top level ones are inconsistent - Improved
Invoke-GPOZaurr(WIP)
- Renamed
- 0.0.67 - 22.10.2020
- Improved
Show-GPOZaurr(WIP)
- Improved
- 0.0.66 - 22.10.2020
- Improved
Show-GPOZaurr(WIP)
- Improved
- 0.0.65 - 22.10.2020
- Improved
Show-GPOZaurr(WIP)
- Improved
- 0.0.64 - 21.10.2020
- Renamed
Remove-GPOZaurrOrphanedtoRemove-GPOZaurrBrokenkeeping it as an alias - Renamed
Get-GPOZaurrSysvoltoGet-GPOZaurrBrokenkeeping it as an alias - Improved
Show-GPOZaurr(WIP)
- Renamed
- 0.0.63 - 19.10.2020
- Renamed
Invoke-GPOZaurrContentback toInvoke-GPOZaurr - Added
Show-GPOZaurr(WIP) - Added
OutputType,OutputType,Open,Onlineparameters toInvoke-GPOZaurr - Added
Get-GPOZaurrNetLogon - Improved
Get-GPOZaurrOwner - Fixes
Get-GPOZaurrSysvol
- Renamed
- 0.0.62 - 14.10.2020
- Renamed
Invoke-GPOZaurrtoInvoke-GPOZaurrContent- I want to useInvoke-GPOZaurrfor something else - Improvements to
Get-GPOZaurrPermissionConsistencyfor GPOs without SYSVOL to be reported properly - Added
Get-GPOZaurrPermissionRoot - Renamed
Remove-GPOZaurrOrphanedSysvolFolderstoRemove-GPOZaurrOrphaned - Improved
Remove-GPOZaurrOrphanedto deal with orphaned folders but also orphaned AD GPO (No sysvol data) - Improved
Get-GPOZaurrSysVolto detect orphaned SYSVOL or AD GPO objects - Improved
Get-GPOZaurrSysVolto detect permissions issue when reading AD GPO objects - Added
Get-GPOZaurrPermissionRootto show which users/groups have control over all GPOs (allowed to create/modify) - Improved
Get-GPOZaurrPermissionSummaryto includeGet-GPOZaurrPermissionRootcustom permissions - Updated
Remove-GPOZaurrPermission - Updated
Get-GpoZaurrPermission - Updated
Get-GPOZaurrFilesto better handle access issue - Reversed parameters
Get-GPOZaurrFilesfromLimitedtoExtendedMetaDataand fixed missing columns
- Renamed
- 0.0.61 - 31.08.2020
- Improvement to
Get-GPOZaurrPermissionSummary - Fixes to
ConvertFrom-CSExtension - Fixes to
Find-CSExtension
- Improvement to
- 0.0.59 - 26.08.2020
- Improvement to
Get-GPOZaurrPermissionSummary
- Improvement to
- 0.0.58 - 26.08.2020
- Improvement to
Get-GPOZaurrPermissionSummary
- Improvement to
- 0.0.57 - 26.08.2020
- Improvement to
Get-GPOZaurrPermissionSummary
- Improvement to
- 0.0.56 - 26.08.2020
- Added
Get-GPOZaurrPermissionSummary
- Added
- 0.0.55 - 17.08.2020
- Improved
Get-GPOZaurrInheritance
- Improved
- 0.0.54 - 16.08.2020
- Added
Invoke-GPOZaurrSupport(WIP) - Added
ConvertFrom-CSExtension - Added
Find-CSExtension - Added
Get-GPOZaurrInheritance
- Added
- 0.0.53 - 16.08.2020
- Bad release
- 0.0.52 - 16.08.2020
- Bad release
- 0.0.51 - 2.08.2020
- Updates to
Invoke-GPOZaurr- still work in progress - Added
Get-GPOZaurrSysvolDFSR - Added
Clear-GPOZaurrSysvolDFSR(requires testing)
- Updates to
- 0.0.50 - 29.07.2020
- Updates to couple of commands
- 0.0.49 - 23.07.2020
- Hidden files were skipped - and people do crazy things with them
- 0.0.48 - 21.07.2020
- Added
Get-GPOZaurrFilesPolicyDefinition - Updates to
Invoke-GPOZaurr- still work in progress - Updates to
Get-GPOZaurrFiles- still work in progress - Updates to
Remove-GPOZaurrOrphanedSysvolFolderswith backup and support for domains - Module will now be signed
- Added
- 0.0.47 - 29.06.2020
- Update to
Get-GPOZaurrADfor better error reporting - Updates to
Invoke-GPOZaurr- still work in progress
- Update to
- 0.0.46 - 28.06.2020
- Additional protection for
Get-GPOZaurrADfor CNF duplicates - Update to
Save-GPOZaurrFiles - Added
Invoke-GPOZaurr(alias:Find-GPO) (heavy work in progress)
- Additional protection for
- 0.0.45 - 26.06.2020
- During publishing ADEssentials required functions are now merged to prevent cyclic dependency bug Using ModuleSpec syntax in RequiredModules causes incorrect "cyclic dependency" failures
- 0.0.44 - 24.06.2020
- Improvement to
Get-GPOZaurrLinkSummary
- Improvement to
- 0.0.43 - 21.06.2020
- Added
Get-GPOZaurrFilesto list files on NETLOGON/SYSVOL shares with a lot of details
- Added
- 0.0.42 - 19.06.2020
- Fix for
Get-GPOZaurrLinkandSearchBaseparameter - Fix for
Get-GPOZaurrLink- canonical link Trim() throwing errors if empty
- Fix for
- 0.0.41 - 18.06.2020
- Added paramerter
SkipDuplicatestoInvoke-GPOZaurrPermissionwhich prevents applying permissions over and over again if 1 GPO is linked to a multiple OU's within another OU
- Added paramerter
- 0.0.40 - 18.06.2020
- Fix for error
Get-GPOZaurrLink- same issue as described on my earlier blog - Get-ADObject : The server has returned the following error: invalid enumeration context..WARNING: Get-GPOZaurrLink - Processing error The server has returned the following error: invalid enumeration context.WARNING: Get-GPOZaurrLink - Processing error A referral was returned from the server
- Added
SkipDuplicatesforGet-GPOZaurrLink
- Fix for error
- 0.0.39 - 17.06.2020
- Updates to
Invoke-GPOZaurrPermissionwith new parameterLimitAdministrativeGroupsToDomain- This will get administrative based on IncludeDomains if given. It means that if GPO has Domain admins added from multiple domains it will only find one, and remove all other Domain Admins (if working with Domain Admins that is)
- Updates to
- 0.0.38 - 17.06.2020
- Update to Get-PrivGPOZaurrLink which would cause problems to
Invoke-GPOZaurrPermissionif it would be run without Administrative permission and GPO wouldn't be accessible for that user
- Update to Get-PrivGPOZaurrLink which would cause problems to
- 0.0.37 - 16.06.2020
- Updates to
Invoke-GPOZaurrPermissionwith new parametersetLevel - Updates to
Get-GPOZaurrLinkSummary
- Updates to
- 0.0.36 - 15.06.2020
- Initial release