Powershell script to disable Computer or Users section of GPO

Question

I'm looking for a powershell code snippit to disable computer or user section of Active Directory GPOs.

I have extracted Guids of the relevant GPOs, Just need to find a way to disable either the computer or the user section but not the whole GPO.

Object is to disable computer section of GPO if empty and vice versa.

Thanks.

Answer 1

Like this (you only need to change DC=mydom,DC=adds and mydom.adds strings to match your domain) :

Get-ChildItem "AD:\CN=Policies,CN=System,DC=mydom,DC=adds" | Select -ExpandProperty Name | ForEach-Object {
    if (-not (Get-ChildItem \\mydom.adds\SYSVOL\mydom.adds\Policies\$_\MACHINE))
    {
        # No machine configuration, disable machine parameters
        Set-ADObject "CN=$_,CN=Policies,CN=System,DC=mydom,DC=adds" -Replace @{flags=2}
    }
    elseif (-not (Get-ChildItem \\mydom.adds\SYSVOL\mydom.adds\Policies\$_\USER))
    {
        # No user configuration, disable user parameters
        Set-ADObject "CN=$_,CN=Policies,CN=System,DC=mydom,DC=adds" -Replace @{flags=1}
    }
}

You should close gpmc.msc before running this to avoid errors (gpmc loads state for GPO and when they are changed this way, it detects inconsistency, which is not), you can run it after to verify :)

For more informations

1. flags = 0 : all enable
2. flags = 3 : all disable

or best to rule them all :

Get-ChildItem "AD:\CN=Policies,CN=System,DC=mydom,DC=adds" | Select -ExpandProperty Name | ForEach-Object {
    $flags = 0
    if (-not (Get-ChildItem \\mydom.adds\SYSVOL\mydom.adds\Policies\$_\MACHINE))
    {
        $flags = 2
    }
    if (-not (Get-ChildItem \\mydom.adds\SYSVOL\mydom.adds\Policies\$_\USER))
    {
        # Disable all if both are empty, and user only otherwise
        $flags += 1
    }
    Set-ADObject "CN=$_,CN=Policies,CN=System,DC=mydom,DC=adds" -Replace @{flags=$flags}
}

This needs to have "clean" GPO. I mean, if you have a GPO with no Machine configuration for instance, then inside the group policy editor, you go to the Windows Settings section for the machine policy, and do nothing, editor will add the Scripts folder structure to the GPO, so Get-ChildItem \\\\mydom.adds\\SYSVOL\\mydom.adds\\Policies\\$_\\MACHINE) will not return $null and $flags will not be set to 2 accordingly. With a little more code, it is pretty easy to clean up those empty structures ;) :

Get-ChildItem "AD:\CN=Policies,CN=System,DC=mydom,DC=adds" | Select -ExpandProperty Name | ForEach-Object {
   $flags = 0
   $machineItems = Get-ChildItem \\mydom.adds\SYSVOL\mydom.adds\Policies\$_\MACHINE
   $machineScripts = Get-ChildItem \\mydom.adds\SYSVOL\mydom.adds\Policies\$_\MACHINE\Scripts -Recurse
   $userItems = Get-ChildItem \\mydom.adds\SYSVOL\mydom.adds\Policies\$_\USER
   $userDocs = Get-ChildItem "\\mydom.adds\SYSVOL\mydom.adds\Policies\$_\USER\Documents & Settings" -Recurse
   $userScripts = Get-ChildItem \\mydom.adds\SYSVOL\mydom.adds\Policies\$_\USER\Scripts -Recurse
   if (-not ($machineItems) -or ($machineItems.Count -eq 1 -and $machineItems[0].Name -eq "Scripts" -and $machineScripts.Count -eq 2 -and $machineScripts[0].Name -eq "Shutdown" -and $machineScripts[1].Name -eq "Startup"))
   {
       # No machine configuration (or empty Scripts folders)
       # Optionally, you can delete extra Scripts folder here
       $flags = 2
   }
   if (-not ($userItems) -or ($userItems.Count -eq 2 -and $userItems[0].Name -eq "Documents & Settings" -and $userItems[1].Name -eq "Scripts" -and $userScripts.Count -eq 2 -and $userScripts[0].Name -eq "Logoff" -and $userScripts[1].Name -eq "Logon"))
   {
       # No user configuration (or empty 'Documents & settings' and Scripts folders)
       # Disable all if both are empty, and user only otherwise
       # Optionally, you can delete extra 'Documents & settings' and Scripts folders here
       $flags += 1
   }
   Set-ADObject "CN=$_,CN=Policies,CN=System,DC=mydom,DC=adds" -Replace @{flags=$flags}
}

And if you want a special list only, save it in a text file in this format :

{GUID1}
{GUID2}
...

And replace {Get-ChildItem "AD:\\CN=Policies,CN=System,DC=mydom,DC=adds" | Select -ExpandProperty Name {Get-ChildItem "AD:\\CN=Policies,CN=System,DC=mydom,DC=adds" | Select -ExpandProperty Name by Get-Content C:\\GPOsDatas\\List.txt (replace it with the right file path )