{"id":807,"date":"2012-09-03T00:47:05","date_gmt":"2012-09-02T16:47:05","guid":{"rendered":"http:\/\/www.jhouseconsulting.com\/?p=807"},"modified":"2012-09-04T00:27:26","modified_gmt":"2012-09-03T16:27:26","slug":"finding-orphaned-group-policy-objects","status":"publish","type":"post","link":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/2012\/09\/03\/finding-orphaned-group-policy-objects-807","title":{"rendered":"Finding Orphaned Group Policy Objects"},"content":{"rendered":"

Group Policy Objects (GPOs) are stored in two parts:<\/p>\n

    \n
  1. GPC (Group Policy Container). The GPC is where the GPO stores all the AD-related configuration under the\u00a0CN=Policies,CN=System,DC=… container, which is replicated via AD replication.<\/li>\n
  2. GPT (Group Policy Templates). The GPT is where the GPO stores the actual settings located within SYSVOL\u00a0area under the Policies folder, which is replicated by either File Replication Services (FRS) or Distributed File System (DFS).<\/li>\n<\/ol>\n

    This script will help find GPOs that are missing one of the parts, which therefore makes it an orphaned GPO.<\/p>\n

    A GPO typically becomes orphaned in one of two different ways:<\/p>\n

      \n
    1. If the GPO is deleted directly through Active Directory Users and Computers or ADSI edit.<\/li>\n
    2. If the GPO was deleted by someone that had permissions to do so in AD, but not in SYSVOL. In this case,\u00a0the AD portion of the GPO would be deleted but the SYSVOL portion of the GPO would be left behind.<\/li>\n<\/ol>\n

      Although orphaned GPT folders do no harm they do take up disk space and should be removed as a cleanup task.<\/p>\n

      Lack of permissions to the corresponding objects in AD could cause a false positive. Therefore, verify GPT\u00a0folders are truly orphaned before moving or deleting them.<\/p>\n

      Example:<\/strong><\/p>\n

      Here is a screen shot showing the output of the script, which had identified 4 orphaned GPTs.\u00a0Note the count of GPC and GPT’s.<\/p>\n

      \"\"<\/a><\/p>\n

      Here is a follow-up screen shot showing the output of the script after the 4 orphaned GPTs had been removed. Again note the count of GPC and GPT’s.<\/p>\n

      \"\"<\/a><\/p>\n

      The FindOrphanedGPOs.ps1<\/a>\u00a0script:<\/strong><\/p>\n

      \r\n<#\r\nThis script will find and print all orphaned Group Policy Objects (GPOs).\r\n\r\nGroup Policy Objects (GPOs) are stored in two parts:\r\n\r\n1) GPC (Group Policy Container). The GPC is where the GPO stores all the AD-related configuration under the\r\n CN=Policies,CN=System,DC=... container, which is replicated via AD replication.\r\n2) GPT (Group Policy Templates). The GPT is where the GPO stores the actual settings located within SYSVOL\r\n area under the Policies folder, which is replicated by either File Replication Services (FRS) or\r\n Distributed File System (DFS).\r\n\r\nThis script will help find GPOs that are missing one of the parts, which therefore makes it an orphaned GPO.\r\n\r\nA GPO typically becomes orphaned in one of two different ways:\r\n\r\n1) If the GPO is deleted directly through Active Directory Users and Computers or ADSI edit.\r\n2) If the GPO was deleted by someone that had permissions to do so in AD, but not in SYSVOL. In this case,\r\n the AD portion of the GPO would be deleted but the SYSVOL portion of the GPO would be left behind.\r\n\r\nAlthough orphaned GPT folders do no harm they do take up disk space and should be removed as a cleanup task.\r\n\r\nLack of permissions to the corresponding objects in AD could cause a false positive. Therefore, verify GPT\r\nfolders are truly orphaned before moving or deleting them.\r\n\r\nOriginal script written by Sean Metcalf\r\n
      Powershell Code: Finding Orphaned Group Policy Objects<\/a><\/blockquote>