scriptingstudio/gporeport.ps1

## gporeport.ps1
# Quick GPO Report for further analysis
param (
	[string]$csv,
	[alias('xlsx')][string]$excel
)

$gporeport = {
	$domain = $env:USERDNSDOMAIN
	if (-not $domain) {return}
	#$dommask = "$domain/" -replace '\.','\.'

	Get-GPO -All | . { process {
		[xml]$Gpo = Get-GPOReport -ReportType Xml -Guid $_.Id -ErrorAction Stop

		$links = foreach ($a in $Gpo.GPO.LinksTo) {
			$path = if ($a.SOMPath -eq $domain) {'<root>'} else {$a.SOMPath -replace "$domain/"}
			'{0}:{1}' -f $path, $(if ($a.Enabled) {1} else {0})
		}

		$securityFilter = $Gpo.GPO.SecurityDescriptor.Permissions.TrusteePermissions.Trustee.Name.'#text'.where{$_ -notmatch 'nt auth|domain admins|administrator|enterpri|system'}

		$userData = 'User:{0}' -f ($Gpo.GPO.User.ExtensionData.Name -join ',')
		$computerData = 'Computer:{0}' -f ($Gpo.GPO.Computer.ExtensionData.Name -join ',')

		$comment = [System.Collections.Generic.List[string]]::new()
		if (-not $links) {
			$comment.add('Location = blank – GPO that is not in use because it is not linked to any domain objects')
		}
		if ($_.GpoStatus -eq 'AllSettingsDisabled') {
			$comment.add('Status = AllSettingsDisabled – GPO that have the user and computer configuration disabled so no policy settings would apply')
		}
		if ($_.User.DSVersion -eq 0 -and $_.User.SysvolVersion -eq 0 -and
		$_.Computer.DSVersion -eq 0 -and $_.Computer.SysvolVersion -eq 0) {
			$comment.add('userVersion and computerVersion = 0 – This is empty GPO. Someone created a GPO but did not configure any settings')
		}
		#if () {$comment.add('')}

		[PSCustomObject]@{
			Name            = $_.DisplayName
			Location        = $links -join ', '
			Status          = $_.GpoStatus
			CreationTime    = $_.CreationTime
			ModifyTime      = $_.ModificationTime
			UserVersion     = '{0} (AD), {1} (SYSVOL) : {2}' -f $_.User.DSVersion, $_.User.SysvolVersion, $_.User.Enabled
			ComputerVersion = '{0} (AD), {1} (SYSVOL) : {2}' -f $_.Computer.DSVersion, $_.Computer.SysvolVersion, $_.Computer.Enabled
			UserEnabled     = if ($Gpo.GPO.User.Enabled -eq $true) {''} else {'No'}
			ComputerEnabled = if ($Gpo.GPO.Computer.Enabled -eq $true) {''} else {'No'}
			WmiFilter       = $_.WmiFilter.Name # singleton?
			SecurityFilter  = $securityFilter -join "`n"
			ExtensionData   = ($userData, $computerData).where{$_ -match ':.+$'} -join "`n"
			Id              = $_.Id.guid.toupper()
			Owner           = $_.Owner
			Comment         = $comment -join ";`n"
		}
	}}
} # END gporeport

if ($csv -and (Test-Path (Split-Path $csv) -PathType Container -ErrorAction Stop)) {
	. $gporeport | Export-Csv $csv -Delimiter ';' -Encoding UTF8 -NoTypeInformation
} elseif ($excel -and (Test-Path (Split-Path $excel) -PathType Container -ErrorAction Stop)) {
	'in dev'
	$paramx = @{}
} else {
	. $gporeport | Out-GridView -Title 'Quick GPO Report'
}
	# Quick GPO Report for further analysis
	param (
	[string]$csv,
	[alias('xlsx')][string]$excel
	)

	$gporeport = {
	$domain = $env:USERDNSDOMAIN
	if (-not $domain) {return}
	#$dommask = "$domain/" -replace '\.','\.'

	Get-GPO -All \| . { process {
	[xml]$Gpo = Get-GPOReport -ReportType Xml -Guid $_.Id -ErrorAction Stop

	$links = foreach ($a in $Gpo.GPO.LinksTo) {
	$path = if ($a.SOMPath -eq $domain) {'<root>'} else {$a.SOMPath -replace "$domain/"}
	'{0}:{1}' -f $path, $(if ($a.Enabled) {1} else {0})
	}

	$securityFilter = $Gpo.GPO.SecurityDescriptor.Permissions.TrusteePermissions.Trustee.Name.'#text'.where{$_ -notmatch 'nt auth\|domain admins\|administrator\|enterpri\|system'}

	$userData = 'User:{0}' -f ($Gpo.GPO.User.ExtensionData.Name -join ',')
	$computerData = 'Computer:{0}' -f ($Gpo.GPO.Computer.ExtensionData.Name -join ',')

	$comment = [System.Collections.Generic.List[string]]::new()
	if (-not $links) {
	$comment.add('Location = blank – GPO that is not in use because it is not linked to any domain objects')
	}
	if ($_.GpoStatus -eq 'AllSettingsDisabled') {
	$comment.add('Status = AllSettingsDisabled – GPO that have the user and computer configuration disabled so no policy settings would apply')
	}
	if ($_.User.DSVersion -eq 0 -and $_.User.SysvolVersion -eq 0 -and
	$_.Computer.DSVersion -eq 0 -and $_.Computer.SysvolVersion -eq 0) {
	$comment.add('userVersion and computerVersion = 0 – This is empty GPO. Someone created a GPO but did not configure any settings')
	}
	#if () {$comment.add('')}

	[PSCustomObject]@{
	Name = $_.DisplayName
	Location = $links -join ', '
	Status = $_.GpoStatus
	CreationTime = $_.CreationTime
	ModifyTime = $_.ModificationTime
	UserVersion = '{0} (AD), {1} (SYSVOL) : {2}' -f $_.User.DSVersion, $_.User.SysvolVersion, $_.User.Enabled
	ComputerVersion = '{0} (AD), {1} (SYSVOL) : {2}' -f $_.Computer.DSVersion, $_.Computer.SysvolVersion, $_.Computer.Enabled
	UserEnabled = if ($Gpo.GPO.User.Enabled -eq $true) {''} else {'No'}
	ComputerEnabled = if ($Gpo.GPO.Computer.Enabled -eq $true) {''} else {'No'}
	WmiFilter = $_.WmiFilter.Name # singleton?
	SecurityFilter = $securityFilter -join "`n"
	ExtensionData = ($userData, $computerData).where{$_ -match ':.+$'} -join "`n"
	Id = $_.Id.guid.toupper()
	Owner = $_.Owner
	Comment = $comment -join ";`n"
	}
	}}
	} # END gporeport

	if ($csv -and (Test-Path (Split-Path $csv) -PathType Container -ErrorAction Stop)) {
	. $gporeport \| Export-Csv $csv -Delimiter ';' -Encoding UTF8 -NoTypeInformation
	} elseif ($excel -and (Test-Path (Split-Path $excel) -PathType Container -ErrorAction Stop)) {
	'in dev'
	$paramx = @{}
	} else {
	. $gporeport \| Out-GridView -Title 'Quick GPO Report'
	}