Dear Przemysław

Improve GPO folder redirection report (Policy.User.ExtensionData - Folder Redirection). Add FolderType nice names in addition to Id:

function ConvertTo-XMLFolderRedirection {
    [cmdletBinding()]
    param(
        [PSCustomObject] $GPO,
        [switch] $SingleObject
    )
	
	$FolderID = @{
        "{1777F761-68AD-4D8A-87BD-30B759FA33DD}" = "Favorites"
        "{FDD39AD0-238F-46AF-ADB4-6C85480369C7}" = "Documents"
        "{33E28130-4E1E-4676-835A-98395C3BC3BB}" = "Pictures"
        "{4BD8D571-6D19-48D3-BE97-422220080E43}" = "Music"
        "{18989B1D-99B5-455B-841C-AB7C74E4DDFC}" = "Videos"
        "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" = "AppDataRoaming"
        "{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" = "Desktop"
        "{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}" = "StartMenu"
        "{374DE290-123F-4565-9164-39C4925E467B}" = "Downloads"
        "{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}" = "Saved Games"
        "{56784854-C6CB-462B-8169-88E350ACB882}" = "Contacts"
        "{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}" = "Searches"
        "{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}" = "Links"
    }
	
    if ($SingleObject) {
        $CreateGPO = [ordered]@{
            DisplayName = $GPO.DisplayName
            DomainName  = $GPO.DomainName
            GUID        = $GPO.GUID
            GpoType     = $GPO.GpoType
            #GpoCategory = $GPOEntry.GpoCategory
            #GpoSettings = $GPOEntry.GpoSettings
            Count       = 0
            Settings    = $null
        }
        [Array] $CreateGPO['Settings'] = foreach ($Folder in $GPO.DataSet) {
            foreach ($Location in $Folder.Location) {
                [PSCustomObject] @{
                    DestinationPath           = $Location.DestinationPath
                    SecuritySID               = $Location.SecurityGroup.SID.'#text'
                    SecurityName              = $Location.SecurityGroup.Name.'#text'
                    GrantExclusiveRights      = if ($Folder.GrantExclusiveRights -eq 'true') { $true } else { $false }
                    MoveContents              = if ($Folder.MoveContents -eq 'true') { $true } else { $false }
                    FollowParent              = if ($Folder.FollowParent -eq 'true') { $true } else { $false }
                    ApplyToDownLevel          = if ($Folder.ApplyToDownLevel -eq 'true') { $true } else { $false }
                    DoNotCare                 = if ($Folder.DoNotCare -eq 'true') { $true } else { $false }
                    RedirectToLocal           = if ($Folder.RedirectToLocal -eq 'true') { $true } else { $false }
                    PolicyRemovalBehavior     = $Folder.PolicyRemovalBehavior     # : LeaveContents
                    ConfigurationControl      = if ($Folder.ConfigurationControl -eq 'GP') { 'Group Policy' } else { $Folder.ConfigurationControl }      # : GP
                    PrimaryComputerEvaluation = $Folder.PrimaryComputerEvaluation # : PrimaryComputerPolicyDisabled
                }
            }
        }
        $CreateGPO['Count'] = $CreateGPO['Settings'].Count
        $CreateGPO['Linked'] = $GPO.Linked
        $CreateGPO['LinksCount'] = $GPO.LinksCount
        $CreateGPO['Links'] = $GPO.Links
        [PSCustomObject] $CreateGPO
    } else {
        foreach ($Folder in $GPO.DataSet) {
            foreach ($Location in $Folder.Location) {
                $CreateGPO = [ordered]@{
                    DisplayName               = $GPO.DisplayName
                    DomainName                = $GPO.DomainName
                    GUID                      = $GPO.GUID
                    GpoType                   = $GPO.GpoType
					FolderType                = $FolderID.( $GPO.Id )
                    Id                        = $Folder.Id
                    DestinationPath           = $Location.DestinationPath
                    SecuritySID               = $Location.SecurityGroup.SID.'#text'
                    SecurityName              = $Location.SecurityGroup.Name.'#text'
                    GrantExclusiveRights      = if ($Folder.GrantExclusiveRights -eq 'true') { $true } else { $false }
                    MoveContents              = if ($Folder.MoveContents -eq 'true') { $true } else { $false }
                    FollowParent              = if ($Folder.FollowParent -eq 'true') { $true } else { $false }
                    ApplyToDownLevel          = if ($Folder.ApplyToDownLevel -eq 'true') { $true } else { $false }
                    DoNotCare                 = if ($Folder.DoNotCare -eq 'true') { $true } else { $false }
                    RedirectToLocal           = if ($Folder.RedirectToLocal -eq 'true') { $true } else { $false }
                    PolicyRemovalBehavior     = $Folder.PolicyRemovalBehavior     # : LeaveContents
                    ConfigurationControl      = if ($Folder.ConfigurationControl -eq 'GP') { 'Group Policy' } else { $Folder.ConfigurationControl }      # : GP
                    PrimaryComputerEvaluation = $Folder.PrimaryComputerEvaluation # : PrimaryComputerPolicyDisabled
                    Linked                    = $GPO.Linked
                    LinksCount                = $GPO.LinksCount
                    Links                     = $GPO.Links
                }
                [PSCustomObject] $CreateGPO
            }
        }
    }
}

Would be great to have EvergreenADmX as part of GPOzaurr, not thinking about an own commandlet rather having the option to make it more popular and updating ADMX while doing GPO house keeping isn't a bad idea (recommended at least even once a year).

I read an article from Sending GPOs Down the Wrong Track–Redirecting the GPT about redirected group Policy template paths with. Is it possible to check for that in gpozaurr?

I love the gpozaurr module. Thank you for your hard work and compassion.

Hello,
When i launch this command : Remove-GPOZaurrBroken -Type AD -LimitProcessing 2 -Verbose
I have this warm :
AVERTISSEMENT : Remove-GPOZaurrBroken - DistinguishedName CN={AE7CC155-CA5C-4963-B920-4565F4802F22},CN=Policies,CN=System,DC=domain,DC=local not found or ObjectClass is not groupPolicyContainer/C
ontainer ()

The GPO "Not available on SYSVOL" is still here

Do you have English based domain? No its French
What forest version? 2016
What domain version? 2016
What Windows Server? 2019
What workstation you're running it from? directly on DC

Hello,

Thanks for your job.

I have install your module

But the module not running

PS C:\Users\administrateur> Import-Module GPOZaurr
PS C:\Users\administrateur> Get-Module

ModuleType Version Name ExportedCommands

Binary 1.0.0.0 CimCmdlets {Export-BinaryMiLog, Get-CimAssociatedInstance, Get-CimClass, Get-CimInstance...}
Script 0.0.114 GPOZaurr {Get-GPOZaurrBrokenLink, Get-GPOZaurrPermissionAnalysis, Get-GPOZaurrPermissionIssue, Invoke-GPOZaurrContent...}
Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...}
Manifest 3.0.0.0 Microsoft.PowerShell.Security {ConvertFrom-SecureString, ConvertTo-SecureString, Get-Acl, Get-AuthenticodeSignature...}
Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Script 2.0.0 PSReadline {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PSReadLineKeyHandler, Set-PSReadLineKeyHandler...}
Script 0.0.131 PSWriteHTML {Add-HTML, Add-HTMLScript, Add-HTMLStyle, ConvertTo-CascadingStyleSheets...}

PS C:\Users\administrateur> Invoke-GPOZaurr
Invoke-GPOZaurr : Le terme « Invoke-GPOZaurr » n'est pas reconnu comme nom d'applet de commande, fonction, fichier de script ou programme exécutable. Vérifiez l'orthographe du nom, ou si un chemin d'accès existe, vérifiez que le chemin d'accès est correct et réessayez.
Au caractère Ligne:1 : 1

• Invoke-GPOZaurr

•   + CategoryInfo          : ObjectNotFound: (Invoke-GPOZaurr:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
  
  

PS C:\Users\administrateur>

Help please

When you redirect the default container for new computers to the domain to an OU (which can have GPO assigned to it) using the REDIRCMP command, you may have a perfectly useful OU with GPOs attached to it, but may be empty. Many organizations might find it helpful to have a staging OU that all computers are joined to initially, so group policy is applied, and then they are moved to another OU, either automatically or manually.

We do this and in the "Group Policy Organizational Units" tab/report, this OU shows up because it is empty but has GPOs applied to it.

I would recommend checking the value of Get-ADDomain | Select ComputersContainer and ignoring this OU (if it is an OU), if there are GPOs assigned but no computers. Right now, the suggestion is that I should unlink GPOs and delete the OU because there are no computers within, but in my case that is definitely not what I want to do.

Edit: Additionally, I am now noticing that in the "Group Policy Summary" tab, it is telling me that there are GPOs that are unlinked, which are in fact linked to the empty staging/default OU. I'd recommend flagging those GPOs links as active links due to linking to the default computer container/OU.

This is on the TODO list - the ability to take whatever GPOAnalysis shows, connect it with GPOLinks, and based on those 2 create analysis on:

1. GPOs that are duplicate
2. GPOs that are in conflict
3. GPOs that are misconfigured
4. GPOs that do nothing - for example, linked password settings to a different place than root or domain controllers - those GPOs for sure have no effect.

This will take a while - and I haven't started yet - i have some ideas - but feel free to chime in.

After installation and verifying dependencies are installed, unable to run module, as it states "Invoke-GPOAzurr" is not recognized as a name of a cmdlet, function, script file, or executable program.'

Running in Windows Server 2016. Same results when running in PS v5 v6 and v7

.

Hello,

First of all I would like to say thank you for all your hard work.
It seems that there's an issue with the latest release when trying to run the below:
Invoke-GPOZaurr -Domain myLab.local -FilePath .\report.html

And the full error is:

PS C:> $Error[-2] | Format-List * -Force

PSMessageDetails :
Exception : Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException: Directory object not found
---> System.ServiceModel.FaultException: The failed operation was attempted on a non-existent
directory object.
--- End of inner exception stack trace ---
at
Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForExtendedError(String
extendedErrorMessage, Exception innerException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String
message, String errorCode, String extendedErrorMessage, Exception innerException)
at
Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetail(FaultDetail
faultDetail, FaultException faultException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault adwsFault,
FaultException faultException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.Search(ADSearchRequest request)
at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Ma
nagement.IADSyncOperations.Search(ADSessionHandle handle, ADSearchRequest request)
at Microsoft.ActiveDirectory.Management.ADObjectSearcher.PagedSearch(Object& pageCookie,
Boolean& hasSizeLimitExceeded, Int32 pageSize, Int32 sizeLimit)
at Microsoft.ActiveDirectory.Management.ADObjectSearchResultEnumerator.System.Collections.IE
numerator.MoveNext()
at Microsoft.ActiveDirectory.Management.Commands.ADFactory1.<GetExtendedObjectFromFilter>d_ _33.MoveNext() at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase3.OutputSearchResults(IADOP
athNode filter)
at
Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase3.ADGetCmdletBaseBeginCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase1.BeginProcessing()
TargetObject :
CategoryInfo : ObjectNotFound: (:) [Get-ADObject], ADIdentityNotFoundException
FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsof
t.ActiveDirectory.Management.Commands.GetADObject
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at Get-WinADDuplicateObject, C:\Program
Files\WindowsPowerShell\Modules\GPOZaurr\1.1.0\GPOZaurr.psm1: line 2584
at Get-GPOZaurrDuplicateObject, C:\Program
Files\WindowsPowerShell\Modules\GPOZaurr\1.1.0\GPOZaurr.psm1: line 21390
at , C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\1.1.0\GPOZaurr.psm1:
line 14612
at Invoke-GPOZaurr, C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\1.1.0\GPOZaurr.psm1:
line 24436
at , : line 1
PipelineIterationInfo : {}

Would be nice to be able to pass in my PSCredential object that has the permissions needed rather than having to be logged in interactively as that user.

The command used to not split the reports when run alone. Do I need to add a new parameter to the command to get the full report in one html?

I noticed this exists in the GPOConsistency report output, but I think it would make sense to also have it in the GPOList output as well.

Dear Przemyslaw

The property 'SysVolPath' returned by Get-GPOZaurrPermissionConsistency contains a whitespace a the end of the name.

Please consider to correct.
Best regards
Patrick

I am not sure if this is even possible... But, it would be nice if it was possible to run this against a remote server. I have a server that I cannot update PowerShell on that I would like to check using its replacement that is a 2019 Std server.

I recently ran a GPOAnalysis against our domain, and the Folder Redirect tab only pulled 2 of our GPOs that have folder redirects configured. We have more GPOs than this that do have this setting, of which I'm trying to get a proper count. But a quick spot-check showed that at least one that is present in the forest that wasn't captured in the report.

Hi! We have the problem that GPOZaurr is reporting GPOs as empty that have been created using a 3rd party MMC extension. In our case, the affected GPOs contain Citrix policies.

I ran this:

$GPOInconsistentPerms = Get-GPOZaurrPermissionConsistency -IncludeDomains (Get-ADDomain).DNSRoot

and then this:

$GPOInconsistentPerms.Where({ $_.id -eq '15b4308d-9faf-425a-ba63-a786b916f242'})

and got no output, which was odd as I'd copied the GUID from the Invoke-GPOZaurr report I'd also just run. After too much fiddling and not enough thinking, I tab-completed it and got this:

$GPOInconsistentPerms[101].'Id       '

Looking in the file for Get-GPOZaurrPermissionConsistency on line 99, you have this:

$Object['Id       '] = $_.Id              # : 8a7bc515-d7fd-4d1f-90b8-e47c15f89295

Is it supposed to be like that?

Hi All

First time I am posting an issue in githib for any project, Hopefully I am doing this correctly

Issue

I have run the following

PS C:\Windows\system32> Invoke-GPOZaurr -verbose [i][GPOZaurr] Version [Informative] Current/Latest: 1.0.0 at 09/17/2023 09:11:39 [i][GPOZaurr] Domain Information [Informative] Forest: Not defined. Using current one [i][GPOZaurr] Domain Information [Informative] Included Domains: Not defined. Using all domains of forest [i][GPOZaurr] Domain Information [Informative] Excluded Domains: No exclusions provided

and then the report opens

file:///C:/Users/./AppData/Local/Temp/hi0cz3ju.html#WizardStep-jy3gd9i2

Going to

1. Group Policy Content
2. FileExplorer
3. displays the following

• DisplayName DomainName GUID GpoType DoNotRequestAlternateCredentials RequestCredentialsForNetworkInstallations TurnOffPreviewPane SetADefaultAssociationsConfigurationFile SetADefaultAssociationsConfigurat

Or this RAW code <html><body><!--StartFragment-->DisplayName | DomainName | GUID | GpoType | DoNotRequestAlternateCredentials | RequestCredentialsForNetworkInstallations | TurnOffPreviewPane | SetADefaultAssociationsConfigurationFile | SetADefaultAssociationsConfigurat-- | -- | -- | -- | -- | -- | -- | -- | --<!--EndFragment--></body></html>

Is this a bug?

Regards
Iain

Hello

I am trying to do a GPO audit on my domain, and your tool is very great.
I would love to have a csv / xls file with all the gpo and thei settings.

It would permit me to rationalise the GPOs in number, and regroup most of GPO.

I see the table as folowing.

Thanks a lot for your great job.

shows this error
"WARNING: Get-WinADForestDetails - Error discovering DC for Forest - Could not find a forest identified by: %mydomain%"
and then outputs a file that everything is showing as good with zeros

the result is, that Get-Command doesn-t show module commands until after importing module. And module autoload doesn't work.

Not an issue and I really love the work you've done, it's an amazing reporting utility and really impressive work.

I'm not sure how feasible this idea really is. Basically, I'd like to run the report daily and have it compared against the previous days report. If there are no changes then simply keep the previous days report. If there have been changes then save the new one with the current date and highlight changes. This keeps both copies for historical comparison.

First off I just wanted to compare the HTML files but I realised each one has certain unique aspects anyway. The time it was generated for example. My next thought is to find a way to filter through the HTML just to the table with the data I want in it but I can't seem to get to the table.

Cheers for any thoughts or ideas you can throw my way.

The OU scan appears to only see Users, Computers and Groups when giving the recommendation to delete an "empty" OU. Manually going through the list I noticed a couple of our recommended OUs to delete were well populated with printer objects.

I got told i got some empty GPO's and went in to check them but they aren't empty at all. They got user/comp settings so i'm really confused on how to deal with those at the moment.

If any more info is needed or some screens etc, feel free to ask me.

Hello,

When I user Invoke-GPOzaurr, there are portions of the report that come up blank: Group Policy Links, Group Policy Root Permissions, Group Policy Content, and Group Policy Passwords. Additionally, when I look at the Group Policy Summary report, it says the vast majority of my policies are unlinked, even though they are linked. The other reports appear to run correctly

With the Group policy Owner portion, I get this Warning for each GPO:
WARNING: Set-ADACLOwner - Drive CN{31B2F340-016D-11D2-945F-00C04FB984F9}CNPoliciesCNSystemDCSARASOTA not mapped. Terminating...

Group policy summary yields:
WARNING: Get-PrivGPOZaurrLink - Couldn't find link cn={84187EC3-FB32-458E-9800-0A577F6AADEF},cn=policies,cn=system.SARASOTA84187EC3-FB32-458E-9800-0A577F6AADEF in a GPO Cache. Lack of permissions for given GPO? Are you running as admin? Skipping.
Group Policy links yields the same warning as GPO Summary
Get-GPOReport Yeilds:

At C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\0.0.126\GPOZaurr.psm1:17964 char:32
+ ... GPOOutput = Get-GPOReport -Guid $GPO.GUID -Domain $GPO.DomainName -Re ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-GPOReport], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.GroupPolicy.Commands.GetGpoReportC
   Ommand```
I am running as a domain admin, and that group appears to have the correct permissions for these GPOs. Am I missing something?

Requesting a section be added for the finding GPOs that are adjusting Windows Time/NTP Settings.

These settings are located at: Computer Configuration/Administrative Templates/System/Windows Time Service

Specifically the most important settings are "Configure Windows NTP Client" and the option NTPServer within that.

The "Group Policy Owners" tab shows AGPM GMSA accounts as "Non-Administrative Owners" in report instead of "Non-Administrative, but approved Owners (for example AGPM)". Could be due to needing Get-ADServiceAccount instead of Get-ADUser when using service accounts. GMSA account is a member of "Group Policy Creator Owners" group.

`Select-Object : The property cannot be processed because the property "PowerPoint" already exists.
At C:\Program Files\WindowsPowerShell\Modules\PSWriteHTML\0.0.148\PSWriteHTML.psm1:16159 char:47
... $DataTable = $DataTable | Select-Object -Property $Properties

CategoryInfo : InvalidOperation: (@{DisplayName=*...ProxyOverride=}:PSObject) [Select-Object], PSArgumentException
FullyQualifiedErrorId : AlreadyExistingUserSpecifiedPropertyNoExpand,Microsoft.PowerShell.Commands.SelectObjectCommand`

This one is coming from PSWriteHTML, GPOZAirr.psm1 generates the same errors on repeated properties. GPOZaurr.psm1 line 18074 I think. That foreach is problematic unless without a validation that the property doesn't already exist in the new hashtable. If I find a fix I'll drop a note.

Awesome module btw, thanks for the hard work!

GPOZaurr seems to error when using Group Managed Service Accounts in GPOs

Request to either add Windows Settings -> Folder Redirection details (including source and target) to the Folder Redirection tab in the GPOAudit report, or either have a separate tab or separate report for this.

It would be beneficial to have a quick look at all folder redirection targets to spot problems (e.g. invalid servers or paths, servers referenced only via NETBIOS vs FQDN, etc.)

Currently a list of GPOs that have this setting set can be generated from the GPOReport report by filtering on the 'UserPolicies' column for 'Folder Redirection'. However, from there, one has to touch each GPO to find out the redirection target information. This can be tedious if there are many GPOs with folder redirection settings enabled.

In 0.0.154, during tests that analyze permissions, and while running on a Domain Controllers, I see the warning message "Get-LocalComputerSid - Error: You cannot call a method on a null-valued expression." It appears repeatedly, perhaps for every GPO being analyzed.

Is this something to address, or truly just informational? I only see one minor permissions issue among my GPOs.

Would you be able to provide some examples on/if we can target an Organization Unit with Invoke-GPOZAurr?

I could not find the right syntax and the Organization Unit DOC does not seem complete.

In version 0.0.156, you have a bit of code in GPOZaurr.psm1 at line 15301 which is meant to add the date ($DateName) to the filename for split reports. The problem seems to be that single reports are still being processed as "split" reports, and when you feed "invoke-GPOZaurr" a filename the resulting save path gets formatted in an unexpected way.

In the example output below, the filename "GPODuplicates_2022-12-07.html" is transformed into "GPODuplicates_2022-12-07_GPODuplicates_2022-12-07_140933.html":

...
[i][Start] Duplicate (CNF) Group Policies
[i][End ] Duplicate (CNF) Group Policies [Time to execute: 0 days, 0 hours, 0 minutes, 0 seconds, 594 milliseconds]
[i][HTML ] Generating HTML report (C:\inetpub\wwwroot\Domain Health\GPO Audits\2022-12-07\GPODuplicates_2022-12-07_GPODuplicates_2022-12-07_140933.html) for GPODuplicates with split reports

under the "Warnings & Error Section" can the errors adjust to be more user friendly? Unclear why these are problems. Looked up a good chunk of user/group SID's found and could locate them.

.EXAMPLE
.COMMENT USED
Cannot convert value "S-1-5-18" to type "System.Guid". Error: "Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)."
.SUGGESTION
.REFERENCE
According to: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows
"S-1-5-18" = Name: Local System | Description: A service account that is used by the operating system.
.ALTERNATIVE ERROR COMMENT
Contains value of a 'Local System Account'

.EXAMPLE
.COMMENT USED
Cannot convert value "S-1-5-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX" to type "System.Guid". Error: "Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)."
.ALTERNATE POST-PROCESSING
### I'm sure you can make this more elegant
$sids = @("S-1-5-21-0123456789-0123456789-0123456789-1108")

$UserGroupPattern = [Regex]::new('/^S-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-\d[1-6]/')
Foreach ($sid in $sids){
    If ($UserGroupPattern.Matches($sid)){
        Get-ADObject –IncludeDeletedObjects -Filter "objectSid -eq '$sid'" | Select-Object name, objectClass
    } else {
        "not a User or Group SID"
    }
}

.ALTERNATE ERROR COMMENT
SID is a user or group

and TargetName is empty, so while the errors are undoubtedly accurate, they don't specify to which GPO they are referring, or why they are errors exactly.

Cannot convert value "4294967295" to type "System.Int32". Error: "Value was either too large or too small for an Int32."
GPOZarr.psm1:4034 char 17
$CtreateGPO[$($GPOEntry.Name)] = [int] $GPOEntry.SettingNu...
+FullyQualifiedErrorId : InvalidCastFromStringToInteger

and had another on value "4294967295"

Use GPOAnalysis to find folders/shares (for mapping/running scripts) where Everyone has full control or similar.

How would I go about adding more entries to this? I'd like to include Office 20xxx as well besides just Outlook. This would be great as folks transition from Office 201x to Office 365.

After updating to the latest version (from .158 I think?), the script is stuck (currently 4 hours) on "Generating HTML report "

In the powershell event log there is this

Pipeline execution details for command line:                     $Value = ConvertTo-StringByType -Value $Object[$a].$Property -DateTimeFormat $DateTimeFormat -NumberAsString:$NumberAsString -BoolAsString:$BoolAsString -Depth $InitialDepth -MaxDepth $MaxDepth -TextBuilder $TextBuilder -NewLineFormat $NewLineFormat -NewLineFormatProperty $NewLineFormatProperty -Force:$Force -ArrayJoin:$ArrayJoin -ArrayJoinString $ArrayJoinString -AdvancedReplace $AdvancedReplace


Context Information: 
	DetailSequence=3
	DetailTotal=3

	SequenceNumber=1123175

	UserId=DOMAIN\SERVER_ADMIN
	HostName=ConsoleHost
	HostVersion=5.1.17763.4974
	HostId=335d65a3-d3f1-4f48-bdd1-c8d71b5b42bb
	HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	EngineVersion=5.1.17763.4974
	RunspaceId=47d76c5f-ed7c-497c-99ff-81db7d2db4f1
	PipelineId=46
	ScriptName=C:\Program Files\WindowsPowerShell\Modules\PSWriteHTML\1.9.0\PSWriteHTML.psm1
	CommandLine=                    $Value = ConvertTo-StringByType -Value $Object[$a].$Property -DateTimeFormat $DateTimeFormat -NumberAsString:$NumberAsString -BoolAsString:$BoolAsString -Depth $InitialDepth -MaxDepth $MaxDepth -TextBuilder $TextBuilder -NewLineFormat $NewLineFormat -NewLineFormatProperty $NewLineFormatProperty -Force:$Force -ArrayJoin:$ArrayJoin -ArrayJoinString $ArrayJoinString -AdvancedReplace $AdvancedReplace
 

Details: 
ParameterBinding(ConvertTo-StringByType): name="NewLineFormat"; value="System.Collections.Hashtable"
ParameterBinding(ConvertTo-StringByType): name="NewLineFormatProperty"; value="System.Collections.Hashtable"
ParameterBinding(ConvertTo-StringByType): name="Force"; value="True"
ParameterBinding(ConvertTo-StringByType): name="ArrayJoin"; value="True"
ParameterBinding(ConvertTo-StringByType): name="ArrayJoinString"; value=", "
ParameterBinding(ConvertTo-StringByType): name="AdvancedReplace"; value="System.Collections.Hashtable"

Over and over, only the sequence number is getting incremented. Is there a way to tell what is wrong?

Thank you

Hi there! Unfortunately, the new -SplitReports parameter is always splitting reports for me. I have tried forcing a reload of the module and using "-SplitReports $false", but no joy.

I think the function "Reset-GPOZaurrStatus" may be setting this to $true somehow.

Is it possible to implement a new section where all group policies are listed including all set keys and values?
That would be very helpful to search all group policies for a special keyword.

Right now I'm using a powershell command to do this but I prefer using your outstanding HTML report :)

$String = "gotomeeting"
$Domain = "TEST.LOCAL"
$NearestDC = (Get-ADDomainController -Discover -NextClosestSite).Name

#Get a list of GPOs from the domain
$GPOs = Get-GPO -All -Domain $Domain -Server $NearestDC | sort DisplayName

#Go through each Object and check its XML against $String
Foreach ($GPO in $GPOs) {

Write-Host "Working on $($GPO.DisplayName)"

#Get Current GPO Report (XML)
$CurrentGPOReport = Get-GPOReport -Guid $GPO.Id -ReportType Xml -Domain $Domain -Server $NearestDC

If ($CurrentGPOReport -match $String) {
Write-Host "A Group Policy matching ""$($String)"" has been found:" -Foregroundcolor Green
Write-Host "- GPO Name: $($GPO.DisplayName)" -Foregroundcolor Green
Write-Host "- GPO Id: $($GPO.Id)" -Foregroundcolor Green
Write-Host "- GPO Status: $($GPO.GpoStatus)" -Foregroundcolor Green
}
}

Wanted to request the ability for the 'Group Policy Content' report to show all subfolders specifically for Google Chrome ADMX templates.

Currently, GPOZaurr only shows the top-level settings: (i.e. Policies -> Administrative Templates -> Google -> Google Chrome)

It doesn't show any of the settings nested in any of the following subfolders however:

WARNING: Get-XMLGPO - Reading GPO content [XXX-GPO-S-C Hardening (v10.0.1)/DomainFQDN] returned an error.
This may be because of non-english language. Assesing EMPTY using old method which can report false positives. Be
careful please.

In issue #10 you have seen this error in a Dutch language GPO. I am seeing it in an English language GPO.

The policy has user settings disabled and contains both Policies and Preferences. There are multiple policies but a single preference. In GPMC, it shows an error for the preference:

An unknown error occurred while data was gathered for this extension. Details: Could not find file '\\DomainControllerFQDN\sysvol\DomainFQDN\Policies\{GUIDstring}\Machine\Preferences\Registry\Registry.xml'.

I'm happy to help if you want to incorporate this in your marvellous module. Otherwise, I'm happy for you to close as a known issue.

When running both the full report and the specific "Invoke-GPOZaurr -Type GPOConsistency" commands, the return errors out w/ the following error:

[i][Start] GPO Permissions Consistency
VERBOSE: Get-GPOZaurrPermissionConsistency - Starting process for domainname.local
VERBOSE: Get-GPOZaurrPermissionConsistency - Processing domainname.local WinAll-SChannel
WARNING: Get-GPOZaurrPermissionConsistency - Processing GPO-Name / domainname.local failed to get consistency with error: Method invocation failed because [Deserialized.Microsoft.GroupPolicy.Gpo] does not contain a method named 'IsAclConsistent'..

This has been tested and confirmed only in Powershell 7.

This occurs whether the module is imported or imported w/ "-SkipEditionCheck" switch.

If the module is imported w/o "-SkipEditionCheck" I receive the following (possibly unrelated) warnings:
WARNING: Module GroupPolicy is loaded in Windows PowerShell using WinPSCompatSession remoting session; please note that all input and output of commands from this module will be deserialized objects. If you want to load this module into PowerShell please use 'Import-Module -SkipEditionCheck' syntax.
WARNING: Module ActiveDirectory is loaded in Windows PowerShell using WinPSCompatSession remoting session; please note that all input and output of commands from this module will be deserialized objects. If you want to load this module into PowerShell please use 'Import-Module -SkipEditionCheck' syntax.

• https://github.com/p0w3rsh3ll/NetCease
• https://adsecurity.org/?p=3299

Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit .
In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
Right-click the Registry node, point to New, and select Registry Wizard.
Select the reference workstation on which the desired registry settings exist, then click Next .
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\
and select the check box for “SrvsvcSessionInfo” from which you want to create a Registry preference item. Select the check box for a key only if you want to create a Registry item for the key rather than for a value within the key.
Click Finish.
The settings that you selected appear as preference items in the Registry Wizard Values collection

Find GPOs in links that no longer exist but haven't been unlinked.

Get-PrivGPOZaurrLink - Couldn't find link domainlEDE5A6AC-21E0-430B-968A-7F92BFC1E8A4 in a GPO Cache. Lack of permissions for given GPO? Are you running as admin? Skipping.

Hello EvotecIT,

first of all, great work with this module.

I have tried running this in my environment and get the following error, please advise how do I resolve this?

Netlogon Owners
Get-WinADObject : Cannot bind argument to parameter 'Identity' because it is null.
At C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\0.0.114\GPOZaurr.psm1:15648 char:64

• ... $IdentityOwnerAdvanced = Get-WinADObject -Identity $ACL.Owner -Cache ...

•                                                    ~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Get-WinADObject], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-WinADObject

Get-WinADObject : Cannot bind argument to parameter 'Identity' because it is null.
At C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\0.0.114\GPOZaurr.psm1:15648 char:64

• ... $IdentityOwnerAdvanced = Get-WinADObject -Identity $ACL.Owner -Cache ...

•                                                    ~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Get-WinADObject], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-WinADObject

Get-WinADObject : Cannot bind argument to parameter 'Identity' because it is null.
At C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\0.0.114\GPOZaurr.psm1:15648 char:64

• ... $IdentityOwnerAdvanced = Get-WinADObject -Identity $ACL.Owner -Cache ...

•                                                    ~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Get-WinADObject], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-WinADObject

[i][Start] NetLogon Permissions
Get-WinADObject : Cannot bind argument to parameter 'Identity' because it is null.
At C:\Program Files\WindowsPowerShell\Modules\GPOZaurr\0.0.114\GPOZaurr.psm1:15648 char:64

• ... $IdentityOwnerAdvanced = Get-WinADObject -Identity $ACL.Owner -Cache ...

•                                                    ~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Get-WinADObject], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-WinADObject