希望验证域中过时的 GPO。标准之一是确保任何链接的 GPO 实际上不会过滤空安全组。因此,我需要编写脚本来检查所有域 GPO、它们的组以及过滤的组是否为空。一直在玩,但遇到问题:
# Function to list GPOs and associated filtered groups
function Get-GPOAndFilteredGroups {
# Get all GPOs in the domain
$GPOs = Get-GPO -All
foreach ($GPO in $GPOs) {
Write-Host "GPO Name: $($GPO.DisplayName)"
Write-Host "GPO ID: $($GPO.Id)"
Write-Host "GPO Domain Name: $($GPO.DomainName)"
Write-Host "GPO Description: $($GPO.Description)"
Write-Host "GPO Creation Time: $($GPO.CreatedTime)"
Write-Host "GPO Last Modified Time: $($GPO.ModifiedTime)"
# Get filtered groups associated with the GPO
$FilteredGroups = Get-GPPermissions -Guid $GPO.Id | Where-Object { $_.Permission -eq 'GpoApply' -and $_.Inherited -eq $false }
if ($FilteredGroups) {
Write-Host "Filtered Groups:"
foreach ($Group in $FilteredGroups) {
Write-Host " $($Group.Trustee.Name)"
}
} else {
Write-Host "No filtered groups associated."
}
Write-Host "----------------------------------------"
}
}
# Call the function to list GPOs and associated filtered groups
Get-GPOAndFilteredGroups
Get-GPPermissions :无法检索权限级别,因为未提供 All 参数,也未提供 TargetType 和 TargetName 参数。指定 All 参数以检索 GPO 上每个安全主体的权限级别。或者,同时指定 TargetName 和 TargetType 参数以检索单个安全主体的权限级别。然后,运行 再次命令。 行:15 字符:27