Group Policy Troubleshooting Part 1

GPOZaurr: PowerShell Module

• Be careful when using on a production network
• GPOZaurr module is not read-only
• Tested only on English based Active Directory

2

3

-Whatif parameter

• Using the -WhatIf parameter in PowerShell commands is quite useful for testing and understanding the potential impact of a command without actually executing it. When you append -WhatIf to a PowerShell command, it doesn't execute the command. Instead, PowerShell will display a message describing what the command would do if it were to run, without making any changes to your system or data.

​

• For example, if you use the command Remove-Item C:\example.txt -WhatIf, PowerShell will not delete the file C:\example.txt. Instead, it will display a message like: What if: Performing the operation "Remove File" on target "C:\example.txt".

4

ObjectClass attribute

• If the ObjectClass attribute is incorrectly set or corrupted for a GPO, it can lead to identification issues within Active Directory. Active Directory might not recognize the object as a valid GPO, leading to processing and replication problems.

5

Health State of Group Policies

6

7

8

9

10

11

12

13

14

GP Broken Links

Improper deletion of GPOs

15

GP Broken Links

• When GPO is deleted correctly, it usually is removed from AD, SYSVOL, and any link to it is also discarded.
• Unfortunately, this is true only if the GPO is created and linked within the same domain.
• If GPO is linked in another domain, this leaves a broken link hanging on before it was linked.
• Additionally, the Remove-GPO cmdlet doesn't handle site link deletions, which causes dead links to be stuck on sites until those are manually deleted.
• This means that any GPOs deleted using PowerShell may leave a trail.

16

Remove Broken Links

• Following command when executed, runs internally command that lists all broken links. After finding them all it delets them according to given criteria.
• Make sure when running it for the first time to run it with WhatIf parameter as shown below to prevent accidental removal.

Repair-GPOZaurrBrokenLink -WhatIf -Verbose

• After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be changed matches expected data.

17

Remove Broken Links

• Once happy with results please follow with command:

Repair-GPOZaurrBrokenLink -Verbose

-LimitProcessing 2

• This command when executed removes only first X number of links.
• Keep in mind that 5 broken links on a single Organizational Unit are treated as one.
• Use LimitProcessing parameter to prevent mass delete and increase the counter when no errors occur.
• Repeat step above as much as needed increasing LimitProcessing count till there's nothing left.
• In case of any issues please review and action accordingly.

18

Group Policy Owners

19

20

Group Policy Owners

• By default, GPO creation is usually maintained by Domain Admins or Enterprise Admins.
• When GPO is created by Domain Admins or Enterprise Admins group members, the GPO Owner is set to Domain Admins.
• When GPO is created by a member of Group Policy Creator Owners or other group has delegated rights to create a GPO, the owner of said GPO is not Domain Admins group but is assigned to the relevant user.

21

Group Policy Owners

• GPO Owners should be Domain Admins or Enterprise Admins to prevent abuse.
• If that isn't so, it means the owner can fully control GPO and potentially change its settings in an uncontrolled way.
• While at the moment of creation of new GPO, it's not a problem, in the long term, it's possible such a person may no longer be admin, yet keep their rights over GPO.
• As your aware, Group Policies are stored in 2 places.
• In Active Directory (metadata) and SYSVOL (settings). This means that there are 2 places where GPO Owners exists.
• This also means that for multiple reasons, AD and SYSVOL can be out of sync when it comes to their permissions, which can lead to uncontrolled ability to modify them.

22

Group Policy Owners

• Ownership in Active Directory and Ownership of SYSVOL for said GPO is required to be the same.

23

24

25

GPO Owners

• Following command will find any GPO which doesn't have proper GPO Owner (be it due to inconsistency or not being Domain Admin) and will enforce new GPO Owner.
• Make sure when running it for the first time to run it with WhatIf parameter as shown below to prevent accidental removal.
• Set-GPOZaurrOwner -Type All -Verbose -WhatIf

26

Please consider becoming a channel member

• you get an early viewing of all our video content
• access to the complete series of videos for each subject
• links to video notes and PowerPoint slide deck both in MS-Word and PDF format
• Our eBook and resources folder
• Join our channel membership, it’s $2.99/month); see the “Join” button on our channel homepage. https://www.youtube.com/channel/UCCAXBGYIJnScl0IFKXOIlsQ/join

27

Members-only videos

28

CONTACT US�mrvanderpool@techsavvyproductions.com��

SOCIAL MEDIA

• YouTube: https://www.youtube.com/user/vanderl2796/featured
• Twitter: @_TechSavvyTeam

​

• Facebook: https://www.facebook.com/Tech-Savvy-Productions-105287381500897
• Follow on Instagram: techsavvyproductions
• https://www.instagram.com/techsavvyproductions/

​

• Mr.V: https://www.linkedin.com/in/lowell-vanderpool-57970623/

29

We have subtitles for in many languages:

We translate subtitles on our videos into the many languages: عربى, българскиB, 简体中文）, 中國傳統的）, Nederlands, Suomalainen, Pilipino, français, Deutsche, हिंदी , Magyar, bahasa Indonesia, 日本語, 한국어, norsk, Polskie, português, Română, русский, Española, Kiswahili, Svenska, and Tiếng Việt

30

�A BIG THANK YOU TO ALL OF OUR MEMBERS, VIEWERS AND SUBSCRIBERS!�

31