Powershell to sanitize GPO

Quick ways to sanitize GPOs with Powershell.

Did you ever wonder how many GPOs do you have that do not have any links?


Or if there are any users that were assigned Security Filterings on GPO, but have since been deleted?




Here is are two quick “scripts”, that will find you just that, so you can further investigate and “sanitize” your Group Policy Objects.

# Get all GPO that are not linked to anything
Get-GPOReport -all -ReportType xml | %{([xml]$_).gpo | select name,@{n="SOMName";e={$_.LinksTo | % {$_.SOMName}}},@{n="SOMPath";e={$_.LinksTo | %{$_.SOMPath}}} | % {if($_.SOMPath -eq $null){$_}}}

# Get all GPO objects, that have permissions set to deleted users (No DisplayName, just SID)
$gpo = Get-GPO -all; $gpoo =@();$gpo | % {$aa = $_;$_| get-gppermissions -all | %{ if($_.trustee.name -eq $null){if($gp.contains($aa.DisplayName)){} else{$gp += $aa.DisplayName} } }}; $gp