- Consolidating Group Policy, part 3: Loopback policy processing and folder redirection - Wed, Aug 25 2021
- Consolidating Group Policy, part 2: GPOZaurr - Thu, Aug 19 2021
- Consolidating Group Policy, part 1: Get-GpoReport and Advanced Group Policy Management (AGMC) - Wed, Aug 18 2021
Installing GPOZaurr ^
You need RSAT installed to support GPOZaurr; after that, you can simply add the module from PowerShell.
Install-Module -Name GPOZaurr -Force
If you're unable to contact the PowerShell gallery, then you can download the modules on a separate workstation and copy them to the target before installing the module.
The module has many reports that you can use, which are laid out in the second link above. However, in most cases, you can simply generate a full report by running Invoke-GPOZaurr.
Generating reports ^
Once the command has finished executing, an interactive HTML report will be generated. This has many output sections that can be browsed, each of which provides different data sets. Each tabbed section is shown below.
There is also a "Summary" section that provides a handy overview of the report and its recommendations.
Another excellent feature of GPOZaurr is the ability to export any of the report sections to CSV (for manipulation in Excel), PDF, or HTML format. This allows you to pull out certain subsets of data and then produce more granular information. For instance, I have used it to look at data from the Group Policy Content section and then filter it by Drive Mappings to obtain a list of UNC paths that are being mapped via GP before exporting to CSV. This allowed me to identify any invalid or inaccessible drive mappings being delivered to the users.
Looking through the data available in this HTML file gives you fantastic insight into the setup and configuration of your Group Policies. There are some annoyances (such as spelling and grammatical mistakes) that can be chalked up to the author not having English as a first language, but you can easily tidy these up by editing the HTML directly. Of particular interest to me is the Group Policy Content section, which provides a wealth of data that can be perused or exported.
One cautionary mention is that GPOZaurr also provides links to remediation for things such as invalid GPOs or broken links. I would not recommend using this functionality—use the data that has been identified to feed into formal change controls for the removal of GPOs rather than using the tool to do them directly. As such, you should be careful who you provide the raw HTML data to—it is much safer to export the highlights to Excel or PDF for distribution purposes. If you want to avoid the remediation links and distribute HTML, however, you can simply run the tool with the -HideSteps parameter specified.
Some of the report sections that GPOZaurr outputs are immediately usable, whereas others require more detailed review. It is up to you how you use the data; you can filter and crunch it in any way you please. What I have suggested below is simply a list of guidelines. There are many more things you can achieve!
Finding broken GPOs ^
Broken or dead links are instantly identified.
The tool also pulls out GPOs that are disabled, duplicated, unlinked, empty, that have sections with disabled content, that users have no permissions to apply, and that have incorrect permissions. This gives a whole load of data that can be quickly verified and fed into a process to remove or disable policies that are not applied for a multitude of reasons. This should be properly validated and change reviewed, as shown in the process below. And it is always prudent to rerun the GPOZaurr utility before making any changes to make sure no one has altered the policies in the meantime.
In large enterprise environments, this stage of consolidation usually produces at least a few hundred policy objects that can potentially be removed. Once the "quick wins" are done, you can now move on to the slightly more time-consuming phases.
Finding disabled GPOs ^
First, there will be GPOs identified that have sections (either Computer or User Config) that are disabled but contain content. GPOZaurr will flag these, but they will need a manual review process to verify whether disabled content is required or not.
Finding GPOs with invalid security filters ^
Next is the specter of invalid security filters. Older GP implementations typically have more of these. Several years ago, Microsoft changed the way that the user Group Policy is applied via a security update. Some of the user processing is now done in the device context. This means that if you are filtering a GPO by user or group (and Authenticated Users is not present), then the Domain Computers group (or a list of computer accounts) must be present in order for the filter to successfully apply. GPOs that do not have Authenticated Users or a list of computer accounts specified on the Security Filter cannot be processed.
GPOZaurr outputs a report of "Group Policy Authenticated Users Permissions," which narrows the list down to policies that don't have Authenticated Users present, but each one of these must be checked manually for a group of computers being specified.
If there are no computer groups or accounts present on the Security Filter, however, this indicates that the GPO has an invalid security filter and should be either remediated or removed.
You can also apply custom Search Builder conditions to the GPOZaurr data to produce more targeted inquiries. I used this to filter the summary data down into those policies containing WMI filters. It is useful to view and verify these to ensure that they are still applicable and don't take a long time to apply (Product Class is a well-known WMI filter that will cause particular issues).
Finding inapplicable GPOs ^
For the final part of the medium-term remediation, you can assess whether GPO settings are inapplicable. Many GPOs, for instance, apply only to particular operating systems or software versions (such as settings that only apply to Windows XP and Server 2003). These settings, if present, will still be applied (they are just registry entries), but are essentially ignored. Therefore, it is useful to identify and remediate these.
This is one area where, surprisingly, GPOZaurr does not offer much. However, Microsoft also has the Policy Analyzer tool available, which may help with this in enterprise environments. This tool compares GPOs to look for invalid settings.
Once you have identified any invalid legacy policies (whether by using Policy Analyzer or by manual review), you can then feed the policies into the usual change review process to get them removed.
Subscribe to 4sysops newsletter!
In my next post, I will cover Loopback Policy Processing, Folder Redirection, and your monthly Group Policy clean-up tasks.