Checking AGPM GPOs managed with powershell

  • Article

Hi all,

It's been a long time since I posted anything here. Basically life, baby and all that happened taking all of my free time.
That doesn't mean I have stopped working with GPOs and Powershell.

Recently a new version of AGPM has been released : AGPM 4.0 SP3: https://technet.microsoft.com/en-us/library/mt346469.aspx

On top of now being compatible with Windows 10 client, it also introduce the first set of Powershell cmdlets for AGPM: https://technet.microsoft.com/en-us/library/mt445493.aspx

I have been promoting AGPM to my clients for a while now.
One of the "issue" that was reported with AGPM by clients, was that it introduced an issue in GPMC.

What I mean is that after installing AGPM you have the add-in "Change Control" that appears in GPMC

This is where "AGPM" is and where you should now manage your GPOs.

But you can still edit the production GPOs through GPMC, mostly Domain admins.
There are ways to remove that right but it can be reversed (https://blogs.technet.com/b/askds/archive/2011/06/21/forcing-domain-admins-to-use-agpm-but-not-really.aspx)
So in the end only Education of your administrator will work.

This "issue" can introduce divergence between the version in production and the one in AGPM.
This could lead to settings in production being lost when a GPO that was modified in AGPM is deployed.

The script I am presenting you will help identify those GPOs that have been modified outside of AGPM and prevent possible loss of setting.

It is based on 2 powershell cmdlet:

Get-controlledGPO: New cmdlet provided with AGPM 4.0 SP3 that list all GPOs managed by AGPM. Meaning that a copy of the GPO is in the AGPM Archive.
Get-GPO: classic GPO cmdlet that list all GPOs in a domain.

Based on the different dates and version number provided by the cmdlets, we can now have an idea of the status of GPOs managed by AGPM.

Controlled: with a value of Yes or No will let you know if the GPO is controlled by AGPM.

Version status: Values can be

"AGPM version in production": same GPO in production and in AGPM (all is good)
    "New AGPM version not in production": the GPO is being modified in AGPM. Next step would be to by deployed in production. So check the modification date to see if it is a recent change or a GPO that was not put in production.
    " Modified in GPMC": You need to check this GPO as it has been modified outside of AGPM.

This is a first version of the script and it has only been written to work on the current domain. I have not yet tested with an AGPM that contains multiple domains, even if this is not a recommended configuration it can be found.

As usual let me know your thoughts and suggestions on this script.

Script can be found here