Locating empty GPOs in a domain / forestIt varies depending on the CSE Neil.
The behaviour usually reverts with Admin Templates. Security settings don't revert, but can roll back if they're set elsewhere (like you said). Darren's already covered Software installation. For example, if you set hide shutdown, and then set that option to not defined, you'll get it back unless there's another GPO overriding that. --Paul ----- Original Message ----- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 16, 2006 9:27 AM Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest I thought 'Not Defined' meant 'ignore this setting and apply it as set elsewhere in other GPOs'. i.e. if it were set and then later set to not defined, the clients would continue to use the setting and ignore the change from enabled to 'not defined'. e.g. wallpaper set to A, originally. Then wallpaper set to 'not defined'. I always believed clients would ignore any 'not defined' settings and thus continue to use wallpaper A. Am I wrong? neil ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 15 November 2006 18:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest If I set an Admin template policy from "Enabled" to "Not Configured", then that GPO with "Not Configured" needs to be processed at least once by the target in order to remove the setting. So, even though GPMC might report "No Settings" (and frankly I haven't look at how it reports other areas besides Admin. templates. For example, you can "remove" a software installation package but it is left in the GPO so that clients can process the removal. Does that mean that the GPO has "no settings"?) you might still want that GPO around to be able to undo the client--if only for a limited period of time. Darren ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, November 15, 2006 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest >>>if a GPO had settings and doesn't anymore, it may be needed by users and computers processing GP to undo settings that were previously applied IMHO, no settings means all settings in the GPO are set to "Not Defined". Wouldn't it, for the case you mention, need to have reverse settings or original settings and thus have settings? jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address> ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 2006-11-15 17:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Well, it depends upon the purpose of you quest, but you're correct. For example, you may not want to delete a GPO that has no settings (but does have versionNumber >0) because that may be a desirable state for it. In other words, if a GPO had settings and doesn't anymore, it may be needed by users and computers processing GP to undo settings that were previously applied. Unless you know for sure that those settings have been undone, then you can't be sure the GPO is unused. ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 7:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Thanks Darren - that assumes the GPO is empty and always was empty, of course :) neil ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 15 November 2006 15:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Another option is to perform an LDAP search on the cn=policies, cn=system container for GPC objects, and on each GPC object, look for a versionNumber attribute == 0. Its probably slightly faster than first generating the HTML report and then parsing it. ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 5:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Thanks horhay :-^ I'd found the GPMC script but your extra logic is very useful :) neil ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 15 November 2006 12:19 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest http://blogs.dirteam.com/blogs/jorge/archive/2006/11/15/Finding-unused-GPOs.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address> ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 2006-11-15 11:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Locating empty GPOs in a domain / forest Does anyone have a script or know of a process which can be used to locate empty GPOs? i.e. GPOs which have no settings enabled or set. The customer has hundreds of GPOs so viewing them one by one using GPMC is not a viable option :/ Many thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.