Nitzan

Nitzan

If this prod is rocking, don’t come a-knocking

Testing stranded group policies

1 minute read

Ever had GPO Version differences between the AD and the Sysvol? Sure, you might have a healthy FRS/DFSR architecture, but the replication takes time. It’s annoying to check if the GP object is now OK on every server, because one would have to point the GPMC to every DC and check the version numbers…
My soultion - this nifty script. It’s essentially grabbing the GP object through Get-GPO from every DC there is, and comparing its AD and Sysvol versions (for both computer and user), and pointing out if this DC’s version is mismatched. Run this script once, and you’ll know how the GP’s doing on every (accessible) DC.

if(-not gmo GroupPolicy) {ipmo GroupPolicy}
<#
.SYNOPSIS
Gets a GPO object from every DC in the domain, and looks for stranded GPOs
 
.Description
This function discovers all DCs in your domain, gets the GPO specified for every DC, and for every object checks all 4 versions (DS/Sysvol and Computer/User) to see if a gpo is only partially updated on a DC.
 
.Parameter GPOName
 
.EXAMPLE
Test-StrandedGPO 'Some Policy Name'
.LINK
My Blog: http://OneBoredAdmin.blogspot.com
#>
function Test-StrandedGPO
{
    param(
    [parameter(Mandatory=$true)]
    [string]$GPOName
    )
     
    # Get all DCs
    $DCs = ([directoryservices.directorysearcher]'(&(&(&(sAMAccountType=805306369)(useraccountcontrol:1.2.840.113556.1.4.804:=67117056))))').findAll() | %{$_.Properties['cn'][0]}
     
    # For every DC, get the GP object
    $GPObjects = $DCs | %{
        $temp = Get-GPO -Name $GPOName -Server $_
        $temp | Add-Member NoteProperty 'Server' $_;
        $temp;
        };
    $server = $_;
    # For every GP object, check if the version is consistent
    $GPObjects | %{
        $objRet = new-object object;
        $objRet | add-member NoteProperty 'DisplayName' ($_.DisplayName)
        $objRet | add-member NoteProperty 'Server' ($_.Server)
        $objRet | add-member NoteProperty 'ComputerDS' ($_.Computer.DSVersion)
        $objRet | add-member NoteProperty 'ComputerSys' ($_.Computer.SysvolVersion)
        $objRet | add-member NoteProperty 'UserDS' ($_.User.DSVersion)
        $objRet | add-member NoteProperty 'UserSys' ($_.User.SysvolVersion)
        [bool] $VMismatch = !(($_.Computer.DSVersion -eq $_.Computer.SysvolVersion) -and ($_.User.DSVersion -eq $_.User.SysvolVersion))
        $objRet | add-member NoteProperty 'VersionMismatch' ($VMismatch)
         
        $objRet
    }
}

You May Also Enjoy

Java SMPP helper

6 minute read

One of my projects involves communicating over SMS with cellular-connected IoT devices. The company already has a working infastructure for sending and recie...

Adding shortcuts to your search engine

3 minute read

I really like DuckDuckGo’s bangs, which basically directs your query elsewhere if you prefix it with !something. You could search the London zoo in gmaps by ...

Bridging Switcher’s UDP over OpenWRT

1 minute read

Seems like I’m doing this setup once every 3 years, then forget about it until the next time it breaks. I hope this is the last time I’m rediscovering this.

Invalid number: Nov

5 minute read

One of my current projects is migrating a big Java project from Java 8 to a supported version. Since we’re doing small, stable steps, we started with Java 11...