Eu usaria alguns pequenos scripts Powershell para isso, principalmente usando:
- Get-ADOrganizationalUnit
- Get-GPO
- Get-GPOReport
Dos módulos:
- ActiveDirectory
-
grouppolicy
import-module ActiveDirectory import-module grouppolicy
algo como isto:
I want to know how many total GPOs applied for each OU.
$OUs = Get-ADOrganizationalUnit -filter * -properties DistinguishedName,LinkedGroupPolicyObjects
foreach($OU in $OUs) {
write-host $OU.DistinguishedName : $OU.LinkedGroupPolicyObjects.count
}
GPO with out no parameters and no link
$GPOS = get-gpo -All | select-object DisplayName
foreach($GPO in $GPOS) {
$myGPO = $GPO.DisplayName
Get-GPOReport -Name "$myGPO" -ReportType Xml >tmp.xml
[xml]$xmldata = get-content "tmp.xml"
$computerLevel = $xmldata.GPO.Computer.ExtensionData | Measure-Object
$userLevel = $xmldata.GPO.User.ExtensionData | Measure-Object
$links = $xmldata.GPO.Linksto | Measure-Object
$NbreLinks = $links.count
$NbreComputerLevel = $computerLevel.Count
$NbreUserLevel = $userLevel.count
$totalParams = $NbreComputerLevel + $NbreUserLevel
if (($totalParams -eq 0) -and ($NbreLinks -eq 0)) {
write-host $myGPO
}
}
GPO's With less than 2 parameters and less than 2 links
É o mesmo que acima, mas substitua a declaração if por:
if(($totalParams -lt 2) -and ($NbreLinks -lt 2)) {
write-host $myGPO
}