WIth a large GPO structure, it can be challenging to keep track of all your settings.
Also, if you’re a consultant or a fresh hire facing an unknown infrastructure, getting an overview of GPOs can be very time-consuming.
That is unless you pull out a little PowerShell magic from your sleeve!
In other articles we already covered:
- How to find GPO folder redirection
- How to find GPO software installation folders
- How to find GPO drive mapping
- How to find GPOs with Registry Settings
This article will enable you to identify logon, logoff, startup, and shutdown scripts in your GPOs.
(for detailed instructions on how you can create your own GPO analysis scripts, read this)
Using PowerShell to Identify GPO Logon Scripts
It’s tempting to use GPO names and try to guess what settings they handle.
But if you have more than 5 GPOs, it will be very time-consuming to click through all of them to verify actual settings.
If you want to know for 100% which of your GPOs holds settings for logon, logoff, startup, or shutdown scripts – check out this script:
Function Get-Scripts ($ExtData, $Gpo, $Scope) {
$ArrResult = @()
ForEach ($ExtensionData In $ExtData) {
If ($ExtensionData.Name -eq "Scripts") {
$GPOScripts = $ExtensionData.Extension.Script
ForEach ($GPOScript In $GPOScripts) {
$GPOScriptConfig = New-Object PSObject -Property @{
GPO = $GPO.Name
LinkCount = $LinkCount
Enabled = $Enabled
Name = $GPOScript.Command
Type = $GPOScript.Type
}
$ArrResult += $GPOScriptConfig
}
}
}
Write-Output $ArrResult
}
$Reports = Get-GPO -All | Get-GPOReport -ReportType Xml
$Scripts = @()
ForEach ($Report In $Reports) {
$GPO = ([xml]$Report).GPO
$LinkCount = ([string[]]([xml]$Report).GPO.LinksTo).Count
$Enabled = $GPO.Computer.Enabled
$ExtData = $GPO.Computer.ExtensionData
$Scripts += Get-Scripts $ExtData $GPO "Computer"
$Enabled = $GPO.User.Enabled
$ExtData = $GPO.User.ExtensionData
$Scripts += Get-Scripts $ExtData $GPO "User"
}
Write-Output $Scripts | ft GPO, LinkCount, Enabled, Name, Type
The output from the script will look similar to this:
GPO LinkCount Enabled Name Type --- --------- ------- ---- ---- StartupScript_DK 2 true ClearTempFiles.bat Startup LogonScript 1 true MapDrives.bat Logon
With this overview in hand, you have a great starting point for examining your GPO logon scripts further.
Look at this article for a thorough primer on GPO, application order, filtering, etc.
Consolidate AD and Office 365 Management
And hey, now we have your attention:
Check out our awesome Office 365 management snap-in for AD Users & Computers:
Easy365Manager will allow you to perform all daily Office 365 management in user properties in AD Users & Computers.
Easy365Manager even eliminates the need for complex PowerShell scripting, e.g., when delegating calendar access:
It’s absolutely free to test-drive all the many features in your own environment.
Download your fully-functional 30-day trial here.
You can install it to any PC or server with AD Users & Computers, it makes no changes to AD or your infrastructure, and can be easily uninstalled.