Hello,

The GPOZaurr module allows you to analyse your GPO and also correct any problems detected.

As stated by module author Przemyslaw Klys: “I have done a lot of research and put a lot of effort into making this PowerShell module work as expected. However, sometimes I make mistakes.”

When a problem is reported, the report provides an option for correction in the form of a link at the end of the report section or a powershell command (supporting -Whatif)

For modifications and deletions, take care to ensure you understand the action you are going to perform

Documentation

https://github.com/EvotecIT/GPOZaurr

https://evotec.xyz/the-only-command-you-will-ever-need-to-understand-and-fix-your-group-policies-gpo/

A single command (Invoke-GPOZaurr) provides the following reports: - GPOBroken - GPOBrokenLink - GPOOwners - GPOConsistency - GPODuplicates - GPOOrganizationalUnit - GPOList - GPOLinks - GPOPassword - GPOPermissions - GPOPermissionsAdministrative - GPOPermissionsRead - GPOPermissionsRoot - GPOPermissionsUnknown - GPOFiles - GPOBlockedInheritance - GPOAnalysis - GPOUpdates - NetLogonOwners - NetLogonPermissions - SysVolLegacyFiles

Reports available :

GPOBroken: This report detects GPOs that are broken. By broken GPOs, I mean those that exist in AD but have no SYSVOL content or vice versa - that have SYSVOL content, but no AD metadata. In addition, it is able to detect GPO objects that are no longer GroupPolicy objects. - It then provides a simple way to rectify the situation using step-by-step instructions.
GPOBrokenLink: This report can detect links that do not have a corresponding GPO. For example, if a GPO is deleted, sometimes the links to that GPO are not correctly deleted. This command can detect this and suggest a solution.
GPOOwners: This report focuses on GPO owners. By design, if a domain administrator creates a GPO, the owner of the GPO is the domain administrators group. This report detects GPOs that do not belong to Domain Admins (both in SYSVOL and AD) and suggests a solution to fix them.
GPOConsistency: This report detects inconsistent permissions between Active Directory and SYSVOL, checking that the files/folder inside each GPO match the required permissions. It then provides you with an option to remedy this.
GPODuplicates: This report detects GPOs that are CNFs, in other words duplicate AD objects, and suggests a way to remove them.
GPOList: This report summarises all Group Policies, focusing on detecting GPOs that are empty, unbound, disabled, without application permissions. It can also detect GPOs that are not optimised or have potential problems (deactivated section, but still containing settings).
GPOLinks: This report summarises the links indicating where the GPO is linked, whether it is linked to any site, to another domain, or the status of the links.
GPOPassword : This report should detect passwords stored in GPOs.
GPOPermissions: This report provides a complete overview of permissions for all GPOs. It detects GPOs that do not have read permissions for authenticated users, GPOs that do not have domain administrator, enterprise administrator or system administrator permissions. It also detects GPOs that have unknown permissions available. Finally, it allows you to set the permissions for all these GPOs easily. It’s basically a one-stop shop for all your permissions needs.
GPOPermissionsAdministrative: This report focuses solely on detecting missing permissions for domain administrators and enterprise administrators and allows you to fix them in no time.
GPOPermissionsRead: Similar to an administrative report, but this one focuses on authenticated users who don’t have their permissions.
GPOPermissionsRoot: This report shows all permissions assigned to the root of the Group Policy container. It allows you to quickly check who can manage all GPOs.
GPOPermissionsUnknown: This report focuses on detecting unknown permissions (deleted users) and allows you to remove them painlessly.
GPOFiles: This report lists all files in the SYSVOL folder (including hidden files) and attempts to determine whether the file location based on extension/type makes sense or requires further checking. It was written to find potential malware or old files that can be safely removed.
GPOBlockedInheritance: This report looks for all organisational units with blocked inheritance and checks the number of users or computers affected.
GPOAnalysis: This report reads all Group Policy content and sorts it into over 70 categories. It can show things like GPOs that do Drive Mapping, Bitlocker, Laps, Printers, etc. It’s handy for finding dead settings, dead hosts or settings that no longer make sense.
NetLogonOwners: This report focuses on detecting NetLogon owners and how to reset them to default and secure values.
NetLogonPermissions : This report provides an overview and assessment of all permissions on the NetLogon share.
SysVolLegacyFiles: This report detects SYSVOL Legacy Files (.adm).

# Installing the module
Install-Module -Name GPOZaurr -AllowClobber -Force

# Prerequisites for use on a client workstation
Add-WindowsCapability -Online -Name 'Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name 'Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0'

# Update module
Update-Module -Name GPOZaurr

# Report generation
Invoke-GPOZaurr