Powershell - Find GPO's for specific Group



  • Goal - Find all GPO's that have "SomeGroupName" in Delegation Tab.

    (Very limited powershell scripting ability)
    Just starting to find the proper cmdlet's to solve my problem.

    Based on what I have found so far, the logic would be something like:

    1. Ask what group to find
    2. Use Get-GPO to get all GPO's (an array I presume)
    3. Loop through GPO array and use Get-GPPermission to list trustees
    4. Filter Trustees in each GPO for "SomeGroupName" and save to 2nd array
    5. write out results from 2nd array.

    If anyone has better logic or a cmdlet that does this already, I am all ears.



  • Is this going to be an ongoing tool, or a one and done cmdlet?



  • @JasGot said in Powershell - Find GPO's for specific Group:

    Is this going to be an ongoing tool, or a one and done cmdlet?

    I thought it was going to be a one and done but believe I can use it more in the future so it will become an ongoing tool.

    I've been "playing around" with RBAC for AD and make sure to use Groups for my GPO filtering. Top that off with using single function GPO's for specific groups, it can be a little rough trying to find what groups apply to some GPO's.

    In the end, I'm thinking it would be nice to have a user, find the groups (possibly nested groups too) they belong to, which can automatically find all GPO's that affects this user on all systems.

    I think this may be good for organizations of all sizes too. I get that large org's probably already have tools for this stuff.



  • @pmoncho said in Powershell - Find GPO's for specific Group:

    I thought it was going to be a one and done but believe I can use it more in the future so it will become an ongoing tool.

    Ok. Cool. I did a quick search and found many examples that search the entire GPO for search strings. This would be fine for a quick and dirty one off script. But maybe not for something that goes in your tool bag.

    Maybe these will help you get closer to your goal.
    https://www.itdroplets.com/searching-gpo-specific-setting-powershell/
    https://gallery.technet.microsoft.com/scriptcenter/Search-all-GPOs-in-a-b155491c

    and one of my favorite Go-To sites for GPO ideas:
    https://deployhappiness.com/searching-gpos-for-that-specific-setting/

    I hope you find something helpful here.



  • @JasGot said in Powershell - Find GPO's for specific Group:

    @pmoncho said in Powershell - Find GPO's for specific Group:

    I thought it was going to be a one and done but believe I can use it more in the future so it will become an ongoing tool.

    Ok. Cool. I did a quick search and found many examples that search the entire GPO for search strings. This would be fine for a quick and dirty one off script. But maybe not for something that goes in your tool bag.

    Maybe these will help you get closer to your goal.
    https://www.itdroplets.com/searching-gpo-specific-setting-powershell/
    https://gallery.technet.microsoft.com/scriptcenter/Search-all-GPOs-in-a-b155491c

    and one of my favorite Go-To sites for GPO ideas:
    https://deployhappiness.com/searching-gpos-for-that-specific-setting/

    I hope you find something helpful here.

    Thanks.

    I will check those out. I was really hoping there would be a parameter for the Get-GPO cmdlet or the ability to filter but after many searches, it looks as those there will be a bunch of looping. 🙂



  • Here's a quick function I created going by your goal:

    @pmoncho said in Powershell - Find GPO's for specific Group:

    Goal - Find all GPO's that have "SomeGroupName" in Delegation Tab.

    I can change it to a script you can run that takes parameters instead if that was how you planned on using it. But as it is below, it's meant to be used within a script or in ISE for example in the screenshots below.

    I am using the -eq, so the parameter you use for -GroupName needs to be exact. Otherwise, you can change it to -match for example.

    note I only tried this in PS v5.1

    e6bc354a-42b4-4a83-85e9-abe40dcb91f6-image.png

    85116aae-601e-4f85-b5ed-35e47df4d2b6-image.png

    function Get-GPOGroupMatches {
        [cmdletbinding()]
        param(
            [Parameter(Mandatory)]
            [string]$GroupName
        )
        
        $gpos = Get-GPO -All
    
        $list = foreach ($gpo in $gpos) {
    
            if ((Get-GPPermission -Name $gpo.DisplayName -All).Trustee.Name -eq $GroupName) {
    
                [PSCustomObject]@{
                    
                    GPOName = $gpo.DisplayName
    
                }
    
            }
    
        }
    
        Write-Output -InputObject $list
    
    }
    
    # Example use(s):
    
        # Example 1:
            Get-GPOGroupMatches -GroupName "TestGroup1"
    
        # Example 2:
            $GPOs = Get-GPOGroupMatches -GroupName "TestGroup1"
            $GPOs.GPOName
    
    


  • Aside from the script you are looking for, is there a reason why the delegation is that way or are you trying to limit access to those GPOs? Or cleaning them up?



  • @Obsolesce said in Powershell - Find GPO's for specific Group:

    Here's a quick function I created going by your goal:

    @pmoncho said in Powershell - Find GPO's for specific Group:

    Goal - Find all GPO's that have "SomeGroupName" in Delegation Tab.

    I can change it to a script you can run that takes parameters instead if that was how you planned on using it. But as it is below, it's meant to be used within a script or in ISE for example in the screenshots below.

    I am using the -eq, so the parameter you use for -GroupName needs to be exact. Otherwise, you can change it to -match for example.

    note I only tried this in PS v5.1

    e6bc354a-42b4-4a83-85e9-abe40dcb91f6-image.png

    85116aae-601e-4f85-b5ed-35e47df4d2b6-image.png

    function Get-GPOGroupMatches {
        [cmdletbinding()]
        param(
            [Parameter(Mandatory)]
            [string]$GroupName
        )
        
        $gpos = Get-GPO -All
    
        $list = foreach ($gpo in $gpos) {
    
            if ((Get-GPPermission -Name $gpo.DisplayName -All).Trustee.Name -eq $GroupName) {
    
                [PSCustomObject]@{
                    
                    GPOName = $gpo.DisplayName
    
                }
    
            }
    
        }
    
        Write-Output -InputObject $list
    
    }
    
    # Example use(s):
    
        # Example 1:
            Get-GPOGroupMatches -GroupName "TestGroup1"
    
        # Example 2:
            $GPOs = Get-GPOGroupMatches -GroupName "TestGroup1"
            $GPOs.GPOName
    
    

    Thank you very much @Obsolesce.

    I will test it out in the ISE. Eventually a script is my goal, but not required. I greatly appreciate your help.

    I currently stink at scripting so I will be learning from this also.



  • @dbeato said in Powershell - Find GPO's for specific Group:

    Aside from the script you are looking for, is there a reason why the delegation is that way or are you trying to limit access to those GPOs? Or cleaning them up?

    Its all of the above.

    I created multiple GPO's (limiting the scope of each GPO) that affect only certain groups on the same RDS server. This is due to the upcoming changes in our LOB application and moving to our new 2019 RDS servers. I wanted to make it as easy for my internal users and external remote clients to have what the need while limiting access as much as possible (yes, I do believe I over-complicated things).

    The main reason for the script was cleanup. It was rough finding the groups I delegated to each specific GPO's instead of fumbling through each one.



  • @Obsolesce said in Powershell - Find GPO's for specific Group:

    Here's a quick function I created going by your goal:

    @pmoncho said in Powershell - Find GPO's for specific Group:

    Goal - Find all GPO's that have "SomeGroupName" in Delegation Tab.

    I can change it to a script you can run that takes parameters instead if that was how you planned on using it. But as it is below, it's meant to be used within a script or in ISE for example in the screenshots below.

    I am using the -eq, so the parameter you use for -GroupName needs to be exact. Otherwise, you can change it to -match for example.

    note I only tried this in PS v5.1

    The script works really well and much faster than the generic thing I had.
    I added the following to the bottom to get input from the user:

    #Get Input from User
    $MyGroupName = Read-Host -Prompt "Please enter Group Name"
    
        # Example 3:
            $GPOs = Get-GPOGroupMatches -GroupName $MyGroupName
            $GPOs.GPOName
    


  • @pmoncho said in Powershell - Find GPO's for specific Group:

    @dbeato said in Powershell - Find GPO's for specific Group:

    Aside from the script you are looking for, is there a reason why the delegation is that way or are you trying to limit access to those GPOs? Or cleaning them up?

    Its all of the above.

    I created multiple GPO's (limiting the scope of each GPO) that affect only certain groups on the same RDS server. This is due to the upcoming changes in our LOB application and moving to our new 2019 RDS servers. I wanted to make it as easy for my internal users and external remote clients to have what the need while limiting access as much as possible (yes, I do believe I over-complicated things).

    The main reason for the script was cleanup. It was rough finding the groups I delegated to each specific GPO's instead of fumbling through each one.

    I see, make it then a habit also to document changes 🙂 That will help ( I know I am stating the obvious) but it comes to bite you in the rear end a lot of times if not in place.



  • @dbeato said in Powershell - Find GPO's for specific Group:

    @pmoncho said in Powershell - Find GPO's for specific Group:

    @dbeato said in Powershell - Find GPO's for specific Group:

    Aside from the script you are looking for, is there a reason why the delegation is that way or are you trying to limit access to those GPOs? Or cleaning them up?

    Its all of the above.

    I created multiple GPO's (limiting the scope of each GPO) that affect only certain groups on the same RDS server. This is due to the upcoming changes in our LOB application and moving to our new 2019 RDS servers. I wanted to make it as easy for my internal users and external remote clients to have what the need while limiting access as much as possible (yes, I do believe I over-complicated things).

    The main reason for the script was cleanup. It was rough finding the groups I delegated to each specific GPO's instead of fumbling through each one.

    I see, make it then a habit also to document changes 🙂 That will help ( I know I am stating the obvious) but it comes to bite you in the rear end a lot of times if not in place.

    You are NOT kidding. I had a decent doc going but a little laziness and getting side tracked by management, and here we are! ugh! Lol


Log in to reply