jhochwald/Get-GPMissingPermissionsGPOs.ps1

## Get-GPMissingPermissionsGPOs.ps1
function Get-GPMissingPermissionsGPOs
{
  <#
      .SYNOPSIS
      Find Group Policy Objects with missing permissions

      .DESCRIPTION
      Find Group Policy Objects do not grant any permissions to the 'Authenticated Users' or 'Domain Computers' groups

      .EXAMPLE
      PS C:\> Get-GPMissingPermissionsGPOs

      .NOTES
      Reworked and tweaked function by Omer (Microsoft Premier Field Engineer)

      .LINK
      https://blogs.technet.microsoft.com/meamcs/2018/12/31/most-common-mistakes-in-active-directory-and-domain-services-part-1/

      .LINK
      https://gist.github.com/OmerMicrosoft/4eda2010c5810dc0e54225cc400211fd
  #>
  [CmdletBinding(ConfirmImpact = 'None')]
  [OutputType([string])]
  param ()

  begin
  {
    # Define some defaults
    $SC = 'SilentlyContinue'
    $STP = 'Stop'

    # Create a new Object for a possible list of crappy Group Policies
    $MissingPermissionsGPOArray = (New-Object -TypeName System.Collections.ArrayList)

    try
    {
      # Splat the parameters to get all Group Policies
      $paramGetGPO = @{
        All           = $true
        ErrorAction   = $STP
        WarningAction = $SC
      }
      $GPOs = (Get-GPO @paramGetGPO)
    }
    catch
    {
      Write-Error -Message 'Unable to get Group Policies' -ErrorAction $STP

      break
    }
  }

  process
  {
    foreach ($GPO in $GPOs)
    {
      # Splat for reuse
      $paramGetGPPermission = @{
        Guid          = $GPO.Id
        All           = $true
        ErrorAction   = $STP
        WarningAction = $SC
      }

      if ($GPO.User.Enabled)
      {
        try
        {
          $GPOPermissionForAuthUsers = (Get-GPPermission @paramGetGPPermission | Select-Object -ExpandProperty Trustee | Where-Object -FilterScript {
              $_.Name -eq 'Authenticated Users'
          })
        }
        catch
        {
          Write-Warning -Message 'Unable to check Group Policy for Users Permission'
        }

        try
        {
          $GPOPermissionForDomainComputers = (Get-GPPermission @paramGetGPPermission | Select-Object -ExpandProperty Trustee | Where-Object -FilterScript {
              $_.Name -eq 'Domain Computers'
          })
        }
        catch
        {
          Write-Warning -Message 'Unable to check Group Policy for Computers Permission'
        }

        if ((-not $GPOPermissionForAuthUsers) -and (-not $GPOPermissionForDomainComputers))
        {
          $null = $MissingPermissionsGPOArray.Add($GPO)
        }
      }
    }

    if ($MissingPermissionsGPOArray.Count -ne 0)
    {
      foreach ($GPOWithMissingPermissions in $MissingPermissionsGPOArray)
      {
        # Assign to temp variable (just for the output)
        $GPOObject = $GPOWithMissingPermissions.DisplayName

        Write-Warning -Message ("The Group Policy {0} do not grant any permissions to the 'Authenticated Users' or 'Domain Computers' groups" -f $GPOObject)

        # Cleanup
        $GPOObject = $null
      }
    }
    else
    {
      Write-Output -InputObject 'All Group Policy Objects grant required permissions. No issues were found.'
    }
  }
}
	function Get-GPMissingPermissionsGPOs
	{
	<#
	.SYNOPSIS
	Find Group Policy Objects with missing permissions

	.DESCRIPTION
	Find Group Policy Objects do not grant any permissions to the 'Authenticated Users' or 'Domain Computers' groups

	.EXAMPLE
	PS C:\> Get-GPMissingPermissionsGPOs

	.NOTES
	Reworked and tweaked function by Omer (Microsoft Premier Field Engineer)

	.LINK
	https://blogs.technet.microsoft.com/meamcs/2018/12/31/most-common-mistakes-in-active-directory-and-domain-services-part-1/

	.LINK
	https://gist.github.com/OmerMicrosoft/4eda2010c5810dc0e54225cc400211fd
	#>
	[CmdletBinding(ConfirmImpact = 'None')]
	[OutputType([string])]
	param ()

	begin
	{
	# Define some defaults
	$SC = 'SilentlyContinue'
	$STP = 'Stop'

	# Create a new Object for a possible list of crappy Group Policies
	$MissingPermissionsGPOArray = (New-Object -TypeName System.Collections.ArrayList)

	try
	{
	# Splat the parameters to get all Group Policies
	$paramGetGPO = @{
	All = $true
	ErrorAction = $STP
	WarningAction = $SC
	}
	$GPOs = (Get-GPO @paramGetGPO)
	}
	catch
	{
	Write-Error -Message 'Unable to get Group Policies' -ErrorAction $STP

	break
	}
	}

	process
	{
	foreach ($GPO in $GPOs)
	{
	# Splat for reuse
	$paramGetGPPermission = @{
	Guid = $GPO.Id
	All = $true
	ErrorAction = $STP
	WarningAction = $SC
	}

	if ($GPO.User.Enabled)
	{
	try
	{
	$GPOPermissionForAuthUsers = (Get-GPPermission @paramGetGPPermission \| Select-Object -ExpandProperty Trustee \| Where-Object -FilterScript {
	$_.Name -eq 'Authenticated Users'
	})
	}
	catch
	{
	Write-Warning -Message 'Unable to check Group Policy for Users Permission'
	}

	try
	{
	$GPOPermissionForDomainComputers = (Get-GPPermission @paramGetGPPermission \| Select-Object -ExpandProperty Trustee \| Where-Object -FilterScript {
	$_.Name -eq 'Domain Computers'
	})
	}
	catch
	{
	Write-Warning -Message 'Unable to check Group Policy for Computers Permission'
	}

	if ((-not $GPOPermissionForAuthUsers) -and (-not $GPOPermissionForDomainComputers))
	{
	$null = $MissingPermissionsGPOArray.Add($GPO)
	}
	}
	}

	if ($MissingPermissionsGPOArray.Count -ne 0)
	{
	foreach ($GPOWithMissingPermissions in $MissingPermissionsGPOArray)
	{
	# Assign to temp variable (just for the output)
	$GPOObject = $GPOWithMissingPermissions.DisplayName

	Write-Warning -Message ("The Group Policy {0} do not grant any permissions to the 'Authenticated Users' or 'Domain Computers' groups" -f $GPOObject)

	# Cleanup
	$GPOObject = $null
	}
	}
	else
	{
	Write-Output -InputObject 'All Group Policy Objects grant required permissions. No issues were found.'
	}
	}
	}