Easy GPO Audit Using Powershell

After poking around the Group Policy Objects (GPO) of an infrastructure that was new to me I needed a decent way of producing a quick and useful report on the state of the GPOs.

Because the ComputerVersion and UserVersion numbers are listed as two figures, one for AD and one for Sysvol just an export-csv of get-gpo left me with blank ComputerVersion and UserVersion.

I found this post: https://community.spiceworks.com/topic/551588-get-gpo-userversion-and-computerversion-troubles

By using the following powershell I was able to within minutes provide useful information on the state of the GPOs.

get-gpo -all | select Displayname,ID,Description,GPOStatus,CreationTime,ModificationTime,@{Label="ComputerVersion";Expression{$_.computer.dsversion}},@{Label="UserVersion";Expression={$_.user.dsversion}}| export-csv gpo-audit.csv

A small bit of conditional formatting later and we can see that the Domain GPO has a large amount of user setting edits and should be split into a user only GPO and a computer GPO (I won’t go into where these GPOs should be linked at this stage).
A snipping of an excel spreadsheet with colour coding providing meaning to the figures

Leave a Reply