GPOZaurr - Group Policy Eater Is A PowerShell Module That Aims To Gather Information About Group Policies
GPOZaurr requires RSAT
installed to provide results. If you don't have them you can install them as below. Keep in mind it also installs GUI tools so it shouldn't be installed on user workstations.
# Windows 10 Latest
Add-WindowsCapability -Online -Name 'Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'
Add-WindowsCapability -Online -Name 'Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0'
Finally just install module:
Install-Module -Name GPOZaurr -AllowClobber -Force
Force and AllowClobber aren't necessary, but they do skip errors in case some appear.
Updating
Update-Module -Name GPOZaurr
That's it. Whenever there's a new version, you run the command, and you can enjoy it. Remember that you may need to close, reopen PowerShell session if you have already used module before updating it.
The essential thing is if something works for you on production, keep using it till you test the new version on a test computer. I do changes that may not be big, but big enough that auto-update may break your code. For example, small rename to a parameter and your code stops working! Be responsible!
Resources
To understand the usage I've created blog post you may find useful
Changelog
- 0.0.114 - 2021.01.27
- Improved
Invoke-GPOZaurr
- HTML now uses offline mode by default (no CDN) - increase in size of HTML up to 3MB
- Using Online switch forces use of CDN - smaller files. For example
Invoke-GPOZaurr -Type GPOList -Online
- Improved
Invoke-GPOZaurrSupport
- HTML now uses offline mode by default (no CDN) - increase in size of HTML up to 3MB
- Using Online switch forces use of CDN - smaller files. For example
Invoke-GPOZaurrSupport -Online
- Removed parameter Offline, added parameter Online
- The cmdlet is not really production ready. It's work in progress
- Improved
- 0.0.113 - 2021.01.25
- Improved
Invoke-GPOZaurr
- Report GPOAnalysis - added WindowsTimeService
- Improved
Invoke-GPOZaurrContent
- Added
WindowsTimeService
type
- Added
- Improved
- 0.0.112 - 2021.01.25
- Improved
Invoke-GPOZaurr
- Improved
- 0.0.111 - 2021.01.24
- Improved
Invoke-GPOZaurr
- Improved
- 0.0.110 - 2021.01.22
- Improved
Invoke-GPOZaurr
- Improved
- 0.0.109 - 2021.01.11
- Improved
Invoke-GPOZaurr
- Improved
- 0.0.108 - 2021.01.11
- Improved
Invoke-GPOZaurr
- Improved
GPOConsistency
- Improved
- Improved
- 0.0.107 - 2021.01.11
- Improved
Invoke-GPOZaurr
- Improved
- 0.0.106 - 2021.01.11
- Improved
Invoke-GPOZaurrContent
- Improved
- 0.0.105 - 2021.01.05
- Improved
Get-GPOZaurr
- Improved report
GPOBrokenLink
- Improved report
- Improved
- 0.0.104 - 2021.01.04
- Improved
Get-GPOZaurrBrokenLink
- Improved
Repair-GPOZaurrBrokenLink
- Improved
Get-GPOZaurr
- Improved report
GPOBrokenLink
- Improved report
- Improved
- 0.0.103 - 2021.01.04
- Improved
Get-GPOZaurr
- Added new report
GPOBrokenLink
- Added new report
- Added
Get-GPOZaurrBrokenLink
- Added
Repair-GPOZaurrBrokenLink
- Improved
- 0.0.102 - 2021.01.02
- Improved
Get-GPOZaurrLink
- Supports all links across forest
- Renamed Linked validate set from
Other
toOrganizationalUnit
- Improved
Get-GPOZaurrLinkSummary
- Improved/BugFix
Get-GPOZaurr
to properly detect linked GPOs in sites/cross-domain - Improved
Invoke-GPOZaurrPermission
- Renamed Linked validate set from
Other
toOrganizationalUnit
- Renamed Linked validate set from
- Improved
Invoke-GPOZaurr
- Added
GPOLinks
basic list
- Added
- Improved
- 0.0.101 - 23.12.2020
- Improved
Get-GPOZaurrBroken
- It now detects
ObjectClass Issue
- Heavily improved performance
- Removed some useless properties for this particular cmdlet
- All states:
Not available on SYSVOL
,Not available in AD
,Exists
,Permissions Issue
,ObjectClass Issue
- Improved help
- It now detects
- Improved
Remove-GPOZaurrBroken
- It now deals with
ObjectClass Issue
- Heavily improved performance
- Removed some useless properties for this particular cmdlet
- Now requires manual type insert AD, SYSVOL or ObjectClass (or all of them). Before it was auto using AD/SYSVOL.
- Improved help
- It now deals with
- Improved
Invoke-GPOZaurr
- Type
GPOList
- Renamed
GPOOrphans
toGPOBroken
- Improved
GPOBroken
withObjectClass issue
- Type
- Improved
- 0.0.100 - 21.12.2020
- Improved
Invoke-GPOZaurr
- Type
GPOPermissionsRead
- Type
GPOPermissions
- Type
- Improved
- 0.0.99 - 13.12.2020
- Improved
Invoke-GPOZaurr
- Type
GPOList
- require GPO to be 7 days old for deletion to be proposed - Type
GPOPermissions
- one stop for permissions - Allows Steps to be chosen via their menu and out-of-order
- Type
- Improved
Remove-GPOZaurr
- addedRequireDays
parameter to prevent deletion of just modified GPOs - Added
Get-GPOZaurrPermissionAnalysis
- Added
Repair-GPOZaurrPermission
- Improved
- 0.0.98 - 10.12.2020
- Improved
Invoke-GPOZaurr
- Type
GPOList
- fixed unexpected ending of cmdlet when error occurs (for example deleted GPO while script is running) which could impact results - Other types - small color adjustment
- Type
- Fixed/Improved
Get-GPOZaurr
- fixed unexpected ending of cmdlet when error occurs (for example deleted GPO while script is running), improved code base - Improved
Invoke-GPOZaurrSupport
- Improved
- 0.0.97 - 07.12.2020
- Improved
Invoke-GPOZaurr
- Type
GPOList
- added more data, did small reorganization
- Type
- Improved
- 0.0.96 - 07.12.2020
- Improved
Invoke-GPOZaurr
- Type
GPOList
- added more data, added Optimization Step
- Type
- Added
Set-GPOZaurrStatus
- Added
Optimize-GPOZaurr
- Fixed
Invoke-GPOZaurrPermission
which would not remove permission due to internal changes earlier on - Small change to
Backup-GPOZaurr
- Added support for
Disabled
. It's now possbile to backupAll
(default),Empty
,Unlinked
,Disabled
or a mix of them - Removed useless
GPOPath
parameter
- Added support for
- Improved
- 0.0.95 - 04.12.2020
- Fix for too big int - #4 - tnx neztach
- Improved
Invoke-GPOZaurr
- Type
GPOList
- added ability for Exclusions - All other types, small improvements
- Added HideSteps, ShowError, ShowWarning -> Disabled Warnings/Errors by default as they tend to show too much information
- Type
- Improved
Remove-GPOZaurr
- added Exclusions
- 0.0.93 - 03.12.2020
- Improved
Invoke-GPOZaurr
- Type
GPOList
reverted charts colors for entries to match colors - Added
Skip-GroupPolicy
to use withinInvoke-GPOZaurr
- Type
- Improved
Invoke-GPOZaurr
with basic support for Exclusions - Improved
Get-GPOZaurr
with basic support for Exclusions - Improved
Remove-GPOZaurrPermission
error handling
- Improved
- 0.0.92 - 01.12.2020
- Improved
Invoke-GPOZaurrSupport
- Improved
Invoke-GPOZaurr
- Type
GPOList
improved with more data, more problems and clearer information
- Type
- Improved
Remove-GPOZaurr
- Added ability do remove disabed GPO
- Improved
Get-GPOZaurr
detecting more issues, delivering more data
- Improved
- 0.0.91 - 24.11.2020
- Improves
Invoke-GPOZaurr
(WIP)- Improve Type
GPOPermissionsUnknown
- Improve Type
- Improves
- 0.0.90 - 23.11.2020
- Improves
Invoke-GPOZaurr
(WIP)- Improves Type
GPODuplicates
- Fix for chart color to be RED
- Add Type
GPOPermissionsUnknown
- Improves logic for Data with 0/1 element
- Improves Type
- Improves
Remove-GPOZaurrDuplicateObject
- removedConfirm
requirement - Improves
Get-GPOZaurrNetLogon
with more verbose - Improves
Repair-GPOZaurrNetLogonOwner
with more verbose and fix forLimitProcessing
- Improves
- 0.0.89 - 22.11.2020
- Small update
Add-GPOZaurrPermission
- Improves
Invoke-GPOZaurr
(WIP)- Added Type
GPOPermissionsAdministrative
- Added Type
- Small update
- 0.0.88 - 18.11.2020
- Fix for
Add-GPOZaurrPermission
- Fix for
- 0.0.87 - 18.11.2020
- Improve error handling
Remove-GPOZaurrBroken
- Improve error handling
- 0.0.86 - 18.11.2020
- Improve error handling
Remove-GPOZaurrBroken
- Improve error handling
- 0.0.85 - 17.11.2020
- Improves
Invoke-GPOZaurr
(WIP)- Split
NetLogonPermissions
intoNetLogonPermissions
andNetLogonOwners
- Improved type
NetLogonPermissions
- Improved type
NetLogonOwners
- Split
- Improves
Get-GPOZaurrFiles
- Improves
Get-GPOZaurrNetLogon
- Fix for
Get-GPOZaurrNetLogon
- Improves
- 0.0.84 - 16.11.2020
- Improves
Invoke-GPOZaurr
(WIP)- Type
NetLogonPermissions
- Type
- Fix for
Get-GPOZaurrNetLogon
- Improves
- 0.0.83 - 14.11.2020
- Improves
Invoke-GPOZaurr
(WIP)- Fix for wrong ActionRequired count
- Improves
- 0.0.82 - 14.11.2020
- Added
Get-GPOZaurrPermissionIssue
to detect permission issue with no rights - Improves
Invoke-GPOZaurr
(WIP)- Type
GPOPermissionsRead
improved detection of problems with low permissions
- Type
- Added
- 0.0.81 - 12.11.2020
- Fix for
Set-GPOZaurrOwner
in case of missing permissions to not throw errors - Improves
Invoke-GPOZaurr
(WIP)- Type
GPOPermissionsRead
added
- Type
- Fix for
- 0.0.80 - 12.11.2020
- Improves
Invoke-GPOZaurr
(WIP)- Type
GPOOrphans
clearer options, updated texts, split per domain - Type
GPOOwners
clearer options, updated texts, split per domain
- Type
- Improves
Add-GPOZaurrPermission
- Fixes LimitProcessing to work correctly
- Added
All
to process all GPOs
- Fixes
Remove-GPOZaurrPermission
- Improves
Set-GPOZaurrOwner
- Added
Force
to forceGPO Owner
to any principal (normally only Domain Admins)
- Added
- Improves
- 0.0.79 - 10.11.2020
- Improved
Invoke-GPOZaurr
- typeGPOOrphans
- Improved
- 0.0.78 - 10.11.2020
- Improved
Remove-GPOZaurrBroken
more verbose - Improved
Get-GPOZaurrBroken
more verbose - Improved
Invoke-GPOZaurr
- typeGPOOrphans
- Improved
Invoke-GPOZaurr
- typeGPOList
- needs more work - Improved
Get-GPOZaurr
with better detection of Empty Policies (needs testing)
- Improved
- 0.0.77 - 9.11.2020
- Improved
Invoke-GPOZaurr
(WIP)
- Improved
- 0.0.76 - 8.11.2020
- Improved
Get-GPOZaurrNetLogon
to better handle errors
- Improved
- 0.0.75 - 8.11.2020
- Improved
Get-GPOZaurrPermissionConsistency
to stop checking consistency if path doesn't exists
- Improved
- 0.0.74 - 8.11.2020
- Improved
Invoke-GPOZaurr
(WIP)
- Improved
- 0.0.73 - 7.11.2020
- Improved
Invoke-GPOZaurr
(WIP) - Improved
Get-GPOZaurr
- Improved
- 0.0.72 - 6.11.2020
- Improved
Invoke-GPOZaurr
(WIP)
- Improved
- 0.0.71 - 3.11.2020
- Improved
Invoke-GPOZaurr
(WIP)
- Improved
- 0.0.70 - 29.10.2020
- Added
Get-GPOZaurrDuplicateObject
- Added
Remove-GPOZaurrDuplicateObject
- Added
- 0.0.69 - 29.10.2020
- Improved
Invoke-GPOZaurr
(WIP) - Improved
Get-GPOZaurrNetLogon
- Improved
Get-GPOZaurrOwner
- Improved
Set-GPOZaurrOwner
- Added
Repair-GPOZaurrNetLogonOwner
- Improved
Invoke-GPOZaurr
(WIP)
- Improved
- 0.0.68 - 28.10.2020
- Renamed
Show-GPOZaurr
toInvoke-GPOZaurr
- Renamed
Invoke-GPOZaurr
toInvoke-GPOZaurrContent
- Improvements to
Get-GPOZaurrPermissionConsistency
- don't check for inherited permissions if top level ones are inconsistent - Improved
Invoke-GPOZaurr
(WIP)
- Renamed
- 0.0.67 - 22.10.2020
- Improved
Show-GPOZaurr
(WIP)
- Improved
- 0.0.66 - 22.10.2020
- Improved
Show-GPOZaurr
(WIP)
- Improved
- 0.0.65 - 22.10.2020
- Improved
Show-GPOZaurr
(WIP)
- Improved
- 0.0.64 - 21.10.2020
- Renamed
Remove-GPOZaurrOrphaned
toRemove-GPOZaurrBroken
keeping it as an alias - Renamed
Get-GPOZaurrSysvol
toGet-GPOZaurrBroken
keeping it as an alias - Improved
Show-GPOZaurr
(WIP)
- Renamed
- 0.0.63 - 19.10.2020
- Renamed
Invoke-GPOZaurrContent
back toInvoke-GPOZaurr
- Added
Show-GPOZaurr
(WIP) - Added
OutputType
,OutputType
,Open
,Online
parameters toInvoke-GPOZaurr
- Added
Get-GPOZaurrNetLogon
- Improved
Get-GPOZaurrOwner
- Fixes
Get-GPOZaurrSysvol
- Renamed
- 0.0.62 - 14.10.2020
- Renamed
Invoke-GPOZaurr
toInvoke-GPOZaurrContent
- I want to useInvoke-GPOZaurr
for something else - Improvements to
Get-GPOZaurrPermissionConsistency
for GPOs without SYSVOL to be reported properly - Added
Get-GPOZaurrPermissionRoot
- Renamed
Remove-GPOZaurrOrphanedSysvolFolders
toRemove-GPOZaurrOrphaned
- Improved
Remove-GPOZaurrOrphaned
to deal with orphaned folders but also orphaned AD GPO (No sysvol data) - Improved
Get-GPOZaurrSysVol
to detect orphaned SYSVOL or AD GPO objects - Improved
Get-GPOZaurrSysVol
to detect permissions issue when reading AD GPO objects - Added
Get-GPOZaurrPermissionRoot
to show which users/groups have control over all GPOs (allowed to create/modify) - Improved
Get-GPOZaurrPermissionSummary
to includeGet-GPOZaurrPermissionRoot
custom permissions - Updated
Remove-GPOZaurrPermission
- Updated
Get-GpoZaurrPermission
- Updated
Get-GPOZaurrFiles
to better handle access issue - Reversed parameters
Get-GPOZaurrFiles
fromLimited
toExtendedMetaData
and fixed missing columns
- Renamed
- 0.0.61 - 31.08.2020
- Improvement to
Get-GPOZaurrPermissionSummary
- Fixes to
ConvertFrom-CSExtension
- Fixes to
Find-CSExtension
- Improvement to
- 0.0.59 - 26.08.2020
- Improvement to
Get-GPOZaurrPermissionSummary
- Improvement to
- 0.0.58 - 26.08.2020
- Improvement to
Get-GPOZaurrPermissionSummary
- Improvement to
- 0.0.57 - 26.08.2020
- Improvement to
Get-GPOZaurrPermissionSummary
- Improvement to
- 0.0.56 - 26.08.2020
- Added
Get-GPOZaurrPermissionSummary
- Added
- 0.0.55 - 17.08.2020
- Improved
Get-GPOZaurrInheritance
- Improved
- 0.0.54 - 16.08.2020
- Added
Invoke-GPOZaurrSupport
(WIP) - Added
ConvertFrom-CSExtension
- Added
Find-CSExtension
- Added
Get-GPOZaurrInheritance
- Added
- 0.0.53 - 16.08.2020
- Bad release
- 0.0.52 - 16.08.2020
- Bad release
- 0.0.51 - 2.08.2020
- Updates to
Invoke-GPOZaurr
- still work in progress - Added
Get-GPOZaurrSysvolDFSR
- Added
Clear-GPOZaurrSysvolDFSR
(requires testing)
- Updates to
- 0.0.50 - 29.07.2020
- Updates to couple of commands
- 0.0.49 - 23.07.2020
- Hidden files were skipped - and people do crazy things with them
- 0.0.48 - 21.07.2020
- Added
Get-GPOZaurrFilesPolicyDefinition
- Updates to
Invoke-GPOZaurr
- still work in progress - Updates to
Get-GPOZaurrFiles
- still work in progress - Updates to
Remove-GPOZaurrOrphanedSysvolFolders
with backup and support for domains - Module will now be signed
- Added
- 0.0.47 - 29.06.2020
- Update to
Get-GPOZaurrAD
for better error reporting - Updates to
Invoke-GPOZaurr
- still work in progress
- Update to
- 0.0.46 - 28.06.2020
- Additional protection for
Get-GPOZaurrAD
for CNF duplicates - Update to
Save-GPOZaurrFiles
- Added
Invoke-GPOZaurr
(alias:Find-GPO
) (heavy work in progress)
- Additional protection for
- 0.0.45 - 26.06.2020
- During publishing ADEssentials required functions are now merged to prevent cyclic dependency bug Using ModuleSpec syntax in RequiredModules causes incorrect "cyclic dependency" failures
- 0.0.44 - 24.06.2020
- Improvement to
Get-GPOZaurrLinkSummary
- Improvement to
- 0.0.43 - 21.06.2020
- Added
Get-GPOZaurrFiles
to list files on NETLOGON/SYSVOL shares with a lot of details
- Added
- 0.0.42 - 19.06.2020
- Fix for
Get-GPOZaurrLink
andSearchBase
parameter - Fix for
Get-GPOZaurrLink
- canonical link Trim() throwing errors if empty
- Fix for
- 0.0.41 - 18.06.2020
- Added paramerter
SkipDuplicates
toInvoke-GPOZaurrPermission
which prevents applying permissions over and over again if 1 GPO is linked to a multiple OU's within another OU
- Added paramerter
- 0.0.40 - 18.06.2020
- Fix for error
Get-GPOZaurrLink
- same issue as described on my earlier blog - Get-ADObject : The server has returned the following error: invalid enumeration context..WARNING: Get-GPOZaurrLink - Processing error The server has returned the following error: invalid enumeration context.
WARNING: Get-GPOZaurrLink - Processing error A referral was returned from the server
- Added
SkipDuplicates
forGet-GPOZaurrLink
- Fix for error
- 0.0.39 - 17.06.2020
- Updates to
Invoke-GPOZaurrPermission
with new parameterLimitAdministrativeGroupsToDomain
- This will get administrative based on IncludeDomains if given. It means that if GPO has Domain admins added from multiple domains it will only find one, and remove all other Domain Admins (if working with Domain Admins that is)
- Updates to
- 0.0.38 - 17.06.2020
- Update to Get-PrivGPOZaurrLink which would cause problems to
Invoke-GPOZaurrPermission
if it would be run without Administrative permission and GPO wouldn't be accessible for that user
- Update to Get-PrivGPOZaurrLink which would cause problems to
- 0.0.37 - 16.06.2020
- Updates to
Invoke-GPOZaurrPermission
with new parametersetLevel
- Updates to
Get-GPOZaurrLinkSummary
- Updates to
- 0.0.36 - 15.06.2020
- Initial release