a bit stumped. I am trying to create a PowerShell script to search all GPOs looking specifically for GPOs with nothing in the Security Filtering section of the Scope tab. Get-GPPermissions unfortunately looks at the Delegation tab and there may be things on the delegation tab but nothing in the Security filtering on the Scope tab. so my thought was to use the Get-GPPermissions and do a -notmatch "Apply" but of course that is giving me all GPOs and permissions that dont have apply in it such as Read, Edit and etc.
my ultimate goal is to have the PowerShell script pump out the names of the GPOs that do not have the apply permissions set anywhere in the Delegations tab. I currently have it pumping out the account permissions as well just so I can easily double check the results.
the current code gets the results below. as you can see it repeats the GPO name and lists the permissions of course because there are multiple accounts with permissions in the delegation.
what I am trying to do is to have it list just the GPO names that have no accounts with the "Apply" Permissions on the delegation tab, either that or just the GPO names that have nothing in security filtering of the Scope tab.
| GPOName | AccountPermissions |
|---|---|
| GPO-Name_edited | GpoEditDeleteModifySecurity |
| GPO-Name_edited | GpoEditDeleteModifySecurity |
| GPO-Name_edited | GpoEditDeleteModifySecurity |
| GPO-Name_edited | GpoRead |
| GPO-Name_edited-1 | GpoEditDeleteModifySecurity |
| GPO-Name_edited-1 | GpoEditDeleteModifySecurity |
| GPO-Name_edited-1 | GpoRead |
here is the code I am working with:
$gpos = Get-GPO -All
foreach ($gpo in $gpos){
Get-GPPermissions -Guid $gpo.Id -All | where-object {$_.Permission -notmatch "Apply" } | Select-Object `
@{n='GPOName';e={$gpo.DisplayName}},
@{n='AccountPermissions';e={$_.Permission.ToString()}}
}