Get restricted groups from GPO

Today I want to share you my function which will show you how to get restricted groups from GPO.

In big Active Directory environments access to servers and workstations are usually managed by AD groups and group policies.
Script which I prepared can help administrators to find which restricted groups have an acccess to servers/workstations in specific OU.

How script works?
Script is checking for all of the GPOs which are linked to provided OU.
In next step script is scanning if GPO has configured restricted groups, if no GPO is skipped from report.
In the result script will show follwoing information
– GPO Type – information if GPO is inherited or linked directly
– GPO Name
– Name – Name of the user/group cofnigured in restricted groups
– Object – information if configured object is user or group
– Group Name – local group name

Example of usage:

Get-OURestrictedGroups -OU "OU=Test,DC=powershellbros,DC=com"

Script:

function Get-OURestrictedGroups
{
    param
    (
        [Parameter(Position=0, Mandatory = $false, HelpMessage="OU distinguished name", ValueFromPipeline = $true)] 
        $OU
    ) 

    $OUDN = $OU
    $OULinkedGPOs = (Get-ADOrganizationalUnit -Identity $OUDN | select LinkedGroupPolicyObjects).LinkedGroupPolicyObjects
    $DomainCounter = ($OUDN.Split(',') -match "^DC=*").Count
    $counter = $OUDN.Split(',').Count-$DomainCounter
    $ParentOUs = @()
    for($i=1;$i -le [int]$counter; $i++)
    {
        $OUDN = $OUDN.Split(',',2)[1]
        $ParentOUs += $OUDN
    }
    $InheritedGPOs = @()
    Foreach($parentOU in $ParentOUs)
    {
        $ParetGPOs =  (Get-GPInheritance -Target $parentOU | select GpoLinks).GpoLinks.GPoID.guid
        foreach($parentgpo in $ParetGPOs)
        {
            $InheritedGPOs += $parentgpo
        }
    }
    $Array = @()
    foreach($GPO in $OULinkedGPOs){
        $guid = $null
        $guid = (($GPO.Split("cn=")).Split("{")).Split("}")[4]
        $GPOName = (Get-GPO -guid $guid | select DisplayName).DisplayName
        $xml = Get-GPOReport -Guid $guid -ReportType Xml
        $ParsedXML = $xml
        $restrictedGroups = $ParsedXML.GPO.Computer.ExtensionData.Extension.RestrictedGroups
        IF($restrictedGroups){
        
            foreach($group in $restrictedGroups)
            {
                $LocalGroup = $group.groupName.Name."#text"
                $SIDs = $group.Member.SID."#text"
                foreach($SID in $SIDs)
                {
                    $exc = $null
                    Try
                    {
                       $Object=  Get-ADGroup -Identity $SID | select Name, ObjectClass
                    }
                    Catch
                    {
                        Try
                        {
                            $Object = Get-ADUser -Identity $SID | select Name, ObjectClass
                        }
                        Catch
                        {
                            Try
                            {
                                $Object = Get-ADComputer -Identity $SID -ErrorAction SilentlyContinue | select Name, ObjectClass
                            }
                            Catch
                            {
                                $exc = $_.Exception.Message
                            }
                        }
                    }
                    if(!$exc)
                    {
                        $ArrayRow = New-Object PSObject -Property  @{
                                "GPOName" = $GPOName
                                "GPOType" = "Direct Link"
                                "Local Group Name" = $LocalGroup
                                "Name" = $Object.Name
                                "Object" = $Object.ObjectClass
                        }
                        $Array += $ArrayRow
                    }
                     
   
                }
            }
        }
    }
    foreach($GPO in $InheritedGPOs){
        $guid = $GPO
        $GPOName = (Get-GPO -guid $guid | select DisplayName).DisplayName
        $xml = Get-GPOReport -Guid $guid -ReportType Xml
        $ParsedXML = $xml
        $restrictedGroups = $ParsedXML.GPO.Computer.ExtensionData.Extension.RestrictedGroups
        IF($restrictedGroups){
        
                foreach($group in $restrictedGroups)
                {
                    $LocalGroup = $group.groupName.Name."#text"
                    $SIDs = $group.Member.SID."#text"
                    foreach($SID in $SIDs)
                    {
                        $exc = $null
                        Try
                        {
                           $Object=  Get-ADGroup -Identity $SID | select Name, ObjectClass
                        }
                        Catch
                        {
                            Try
                            {
                                $Object = Get-ADUser -Identity $SID | select Name, ObjectClass
                            }
                            Catch
                            {
                                Try
                                {
                                    $Object = Get-ADComputer -Identity $SID -ErrorAction SilentlyContinue | select Name, ObjectClass
                                }
                                Catch
                                {
                                    $exc = $_.Exception.Message
                                }
                            }
                        }
                        if(!$exc)
                        {
                            $ArrayRow = New-Object PSObject -Property  @{
                                    "GPOName" = $GPOName
                                    "GPOType" = "Inherited"
                                    "Local Group Name" = $LocalGroup
                                    "Name" = $Object.Name
                                    "Object" = $Object.ObjectClass
                            }
                            $Array += $ArrayRow
                        }
                     
   
                    }
                }
            }
    }
    $Array

}

Results:

I hope it will be usefull for some of you 😉
Enjoy!

2 thoughts on “Get restricted groups from GPO

  1. Hello,
    Thanks for your script and efforts but it doesn’t work at all
    Problem in param settings…
    Ligne 89 add $ to restricted Groups ==> $restricted Groups
    Test your script before publishing !
    Regards

    1. Thanks for information!
      Script was tested but it seems that during publishing article I delete $ sign by mistake.
      It’s already fixed.

Leave a Reply

Your email address will not be published. Required fields are marked *