In this blog post, we will introduce a PowerShell script that can help you quickly find which Group Policy Objects (GPOs) are using a specific script and generate reports for each GPO.
By using this script, you can easily audit your GPOs and ensure that your group policy scripts are being used where they are supposed to be.
$scriptName = "deleteoldsecuritylogs.ps1"
# Get all the GPOs in the domain
$gpos = Get-GPO -All
# Loop through each GPO and generate a report
foreach ($gpo in $gpos) {
$reportPath = Join-Path -Path $env:TEMP -ChildPath "$($gpo.DisplayName)_Report.html"
Get-GPOReport -Name $gpo.DisplayName -ReportType HTML -Path $reportPath
# Search the report for your script name
$matches = Select-String -Path $reportPath -Pattern $scriptName
# If there is a match, print the GPO name and the path to the report
if ($matches) {
Write-Output "The script '$scriptName' is being used in the GPO '$($gpo.DisplayName)'."
Write-Output "The report for this GPO can be found at '$reportPath'."
}
# Delete the report
Remove-Item $reportPath
}Step-by-step Guide:
The script starts by defining the name of the PowerShell script as $scriptName. This can be customized based on the name of the script you want to search for.
The script then gets all the GPOs in the domain using the Get-GPO command with the -All parameter and stores them in the $gpos variable.
The script loops through each GPO in $gpos using a foreach loop.
For each GPO, the script generates a report using the Get-GPOReport command. The report is saved in HTML format with a unique file name based on the GPO display name, and stored in the $reportPath variable.
The script then searches the report for the script name defined in $scriptName using the Select-String command with the -Pattern parameter. If a match is found, the GPO name and the path to the report are printed using the Write-Output command.
After printing the GPO name and report path (if applicable), the script deletes the report using the Remove-Item command with $reportPath as the parameter.
The loop continues to the next GPO in $gpos and repeats the process until all GPOs have been searched and reports generated.
Overall, this PowerShell script allows you to quickly search for GPOs using a specific script and generate reports for each GPO. It can be useful for auditing purposes or when troubleshooting issues with group policy scripts.
deleteoldsecuritylogs.ps1 - a Powershell script we were searching for above using $scriptName variable.
# Used with "Max Event Log Size" GPO.
$previousPolicy = Get-ExecutionPolicy
write-host $previousPolicy
Set-ExecutionPolicy Unrestricted -Force
Get-ChildItem -Path "C:\Windows\System32\winevt\Logs" -Recurse | Where-Object { $_.Name -like "Archive-Security*" -and $_.LastWriteTime -lt (Get-Date).AddDays(-10) } | Remove-Item -Force
Set-ExecutionPolicy $previousPolicy -ForceThis is a PowerShell script that performs the following actions:
The current execution policy is stored in the variable $previousPolicy using the Get-ExecutionPolicy command.
The execution policy is temporarily set to Unrestricted using the Set-ExecutionPolicy command with the -Force flag.
The script uses the Get-ChildItem command to get a list of all files and directories under the path C:\Windows\System32\winevt\Logs, including all subdirectories recursively.
The Where-Object cmdlet is used to filter the output of Get-ChildItem. It selects only the files that have a name that matches the pattern "Archive-Security*" and that have a LastWriteTime property that is older than 10 days using the -lt operator.
The Remove-Item cmdlet is used to delete the filtered files from the system using the -Force flag to suppress any prompts for confirmation.
Finally, the execution policy is reset to the value stored in $previousPolicy using the Set-ExecutionPolicy command with the -Force flag.
Overall, this script deletes old security log archives located in the C:\Windows\System32\winevt\Logs directory and its subdirectories, while temporarily changing the PowerShell execution policy to allow script execution.
Comments