Assistance at your fingertips...

Check for GPO or run GPupdate Remotely

This script does lots of things that are handy when group policy (SysVol) replication is a problem… (like an environment still using FRS)

My Thanks to Microsoft’s CoPilot for the help in sorting the logic of the try-else-catch commands…

  • Enumerates a list of Azure AD Connect Hybrid attached Windows Servers from a specific OU location in Windows 2016 Active Directory
  • Tests each server for port 3389 access (RDP) and makes a new list of ‘GoodServers’ in an array
  • Checks each GoodServer with GPResult whether a specific Group Policy is applied
  • If the specific GPO is not applied the script runs a forced gpupdate, the old way (The ‘Invoke-GPupdate’ module never worked), which does not reboot the server or log off any accounts
  • Reports any errors through the script and has lots of informative replies
'Copy-SysVol-CoPilotRefined.ps1'
Import-Module ActiveDirectory
$SysVolCopyServers = Get-ADComputer -Properties DNSHostName,OperatingSystem -Filter {OperatingSystem -like "*Windows*Server*"} -SearchBase "OU=azure,OU=servers,DC=northamerica,DC=contoso,DC=com" -SearchScope Subtree
$SysVolCopyServerscount = $SysVolCopyServers.count

# Test-Servers-Port3389.ps1
# Set Array
$GoodServers = @() # Arrays reset array every time
foreach ($server in $SysVolCopyServers) {
    $serverDNSHostName = $server.DNSHostName
    if (!(Test-NetConnection -ComputerName $serverDNSHostName -Port 3389 -InformationLevel Quiet -ErrorAction SilentlyContinue -WarningAction SilentlyContinue)) {
        continue
    }
    if (!(Test-Connection -ComputerName $serverDNSHostName -Quiet -ErrorAction SilentlyContinue)) {
        continue
    }
    Write-Output $serverDNSHostName
    $GoodServers += $serverDNSHostName
}

# Output the list of good servers
$GoodServerscount = $GoodServers.Count
Write-Output "Checking for Group Policy in SysVol on $GoodServerscount MS Windows Servers"
# Assuming you have the correct server name or IP address in the variable $GoodServer
#Test Server
#$GoodServer = "entra01.northamerica.contoso.com"
ForEach($GoodServer in $GoodServers){
# Run gpresult remotely to check if the GPO is applied
try {
    $result = Invoke-Command -ComputerName $GoodServer -ScriptBlock {
        gpresult /r /scope computer | Select-String "EnableWMIfromServiceNow"
    }
    if ($result) {
        Write-Output "Server: $GoodServer"
        Write-Output "GPO 'EnableWMIinWindows' is applied."
    } else {
        Write-Output "Server: $GoodServer"
        Write-Output "GPO 'EnableWMIinWindows' is not applied. Re-running gpupdate"
# Run gpupdate remotely to get the GPO applied
try {
    $result = Invoke-Command -ComputerName $GoodServer -ScriptBlock {
    gpupdate /force
}
    if ($result) {
        Write-Output "Server: $GoodServer"
        Write-Output "GPUpdate applied."
    } else {
        Write-Output "Server: $GoodServer"
        Write-Output "GPUpdate not applied."
    }
} catch {
    Write-Output "Error connecting to server: $GoodServer"
    Write-Output $_.Exception.Message
}
    }
} catch {
    Write-Output "Error connecting to server: $GoodServer"
    Write-Output $_.Exception.Message
}

}

Posted

in

, , ,

by