GPOZaurr from Evotec IT is a PowerShell module that is very useful for consolidating and managing Group Policy. In this post, I will demonstrate how you can use GPOZaurr to create Group Policy reports and deal with broken, disabled, invalid, or inapplicable GPOs. This is the second post in my series about Group Policy consolidation.

Installing GPOZaurr ^

You need RSAT installed to support GPOZaurr; after that, you can simply add the module from PowerShell.

Install-Module -Name GPOZaurr -Force
Install GPOZaurr

Install GPOZaurr

If you're unable to contact the PowerShell gallery, then you can download the modules on a separate workstation and copy them to the target before installing the module.

Full details are provided on GitHub and in this blog post as well.

The module has many reports that you can use, which are laid out in the second link above. However, in most cases, you can simply generate a full report by running Invoke-GPOZaurr.

Generting a full report with Invoke GPOZaurr

Generting a full report with Invoke GPOZaurr

Generating reports ^

Once the command has finished executing, an interactive HTML report will be generated. This has many output sections that can be browsed, each of which provides different data sets. Each tabbed section is shown below.

GPOZaurr report sections

GPOZaurr report sections

There is also a "Summary" section that provides a handy overview of the report and its recommendations.

GPOZaurr summary report

GPOZaurr summary report

Another excellent feature of GPOZaurr is the ability to export any of the report sections to CSV (for manipulation in Excel), PDF, or HTML format. This allows you to pull out certain subsets of data and then produce more granular information. For instance, I have used it to look at data from the Group Policy Content section and then filter it by Drive Mappings to obtain a list of UNC paths that are being mapped via GP before exporting to CSV. This allowed me to identify any invalid or inaccessible drive mappings being delivered to the users.

GPOZaurr report filtered

GPOZaurr report filtered

Looking through the data available in this HTML file gives you fantastic insight into the setup and configuration of your Group Policies. There are some annoyances (such as spelling and grammatical mistakes) that can be chalked up to the author not having English as a first language, but you can easily tidy these up by editing the HTML directly. Of particular interest to me is the Group Policy Content section, which provides a wealth of data that can be perused or exported.

GPOZaurr content view

GPOZaurr content view

One cautionary mention is that GPOZaurr also provides links to remediation for things such as invalid GPOs or broken links. I would not recommend using this functionality—use the data that has been identified to feed into formal change controls for the removal of GPOs rather than using the tool to do them directly. As such, you should be careful who you provide the raw HTML data to—it is much safer to export the highlights to Excel or PDF for distribution purposes. If you want to avoid the remediation links and distribute HTML, however, you can simply run the tool with the -HideSteps parameter specified.

Some of the report sections that GPOZaurr outputs are immediately usable, whereas others require more detailed review. It is up to you how you use the data; you can filter and crunch it in any way you please. What I have suggested below is simply a list of guidelines. There are many more things you can achieve!

Finding broken GPOs ^

Broken or dead links are instantly identified.

Finding broken GPOs links

Finding broken GPOs links

The tool also pulls out GPOs that are disabled, duplicated, unlinked, empty, that have sections with disabled content, that users have no permissions to apply, and that have incorrect permissions. This gives a whole load of data that can be quickly verified and fed into a process to remove or disable policies that are not applied for a multitude of reasons. This should be properly validated and change reviewed, as shown in the process below. And it is always prudent to rerun the GPOZaurr utility before making any changes to make sure no one has altered the policies in the meantime.

Fixing broken GPOs

Fixing broken GPOs

In large enterprise environments, this stage of consolidation usually produces at least a few hundred policy objects that can potentially be removed. Once the "quick wins" are done, you can now move on to the slightly more time-consuming phases.

Finding disabled GPOs ^

First, there will be GPOs identified that have sections (either Computer or User Config) that are disabled but contain content. GPOZaurr will flag these, but they will need a manual review process to verify whether disabled content is required or not.

Finding disabled GPOs

Finding disabled GPOs

Finding GPOs with invalid security filters ^

Next is the specter of invalid security filters. Older GP implementations typically have more of these. Several years ago, Microsoft changed the way that the user Group Policy is applied via a security update. Some of the user processing is now done in the device context. This means that if you are filtering a GPO by user or group (and Authenticated Users is not present), then the Domain Computers group (or a list of computer accounts) must be present in order for the filter to successfully apply. GPOs that do not have Authenticated Users or a list of computer accounts specified on the Security Filter cannot be processed.

GPOZaurr outputs a report of "Group Policy Authenticated Users Permissions," which narrows the list down to policies that don't have Authenticated Users present, but each one of these must be checked manually for a group of computers being specified.

GPOs with invalid security filters

GPOs with invalid security filters

If there are no computer groups or accounts present on the Security Filter, however, this indicates that the GPO has an invalid security filter and should be either remediated or removed.

Fixing GPOs with invalid security filter

Fixing GPOs with invalid security filter

You can also apply custom Search Builder conditions to the GPOZaurr data to produce more targeted inquiries. I used this to filter the summary data down into those policies containing WMI filters. It is useful to view and verify these to ensure that they are still applicable and don't take a long time to apply (Product Class is a well-known WMI filter that will cause particular issues).

Custom search builder

Custom search builder

Finding inapplicable GPOs ^

For the final part of the medium-term remediation, you can assess whether GPO settings are inapplicable. Many GPOs, for instance, apply only to particular operating systems or software versions (such as settings that only apply to Windows XP and Server 2003). These settings, if present, will still be applied (they are just registry entries), but are essentially ignored. Therefore, it is useful to identify and remediate these.

This is one area where, surprisingly, GPOZaurr does not offer much. However, Microsoft also has the Policy Analyzer tool available, which may help with this in enterprise environments. This tool compares GPOs to look for invalid settings.

Once you have identified any invalid legacy policies (whether by using Policy Analyzer or by manual review), you can then feed the policies into the usual change review process to get them removed.

Subscribe to 4sysops newsletter!

Fixing inapplicable GPOs

Fixing inapplicable GPOs

In my next post, I will cover Loopback Policy Processing, Folder Redirection, and your monthly Group Policy clean-up tasks.

+5
avatar
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account