• Get-GPOBackupAndReports PowerShell Script V1.00

    Some of you know that I do a lot of work with Active Directory and Group Policy (GPO). I needed a script that would:

    • Backup all GPOs in a domain
    • Give me HTML and XML reports for all those GPOs
    • Zip up the backups and reports
    • If specified, email me a copy of the Zip files.

    It didn’t take long to create the script but the testing took a long time to verify all the script parameters and emailing multiple attachments in a single email.

    I created a custom version of this script for my employer, Choice Solutions, that always emails the zip files to a shared mailbox.

    You can use this script to backup and get reports for the GPOs in a customer’s domain BEFORE you start either cleaning up or deleting GPOs.

    Here is the script in action.

    Figure 1
    Figure 1
    Figure 2
    Figure 3
    Figure 3
    Figure 4
    Figure 4
    Figure 5
    Figure 5

    Since very few of you read the help text (based on all the emails I get where the answer is in the help text), here is the script’s full help text.

    NAME
    C:\PSScript\Get-GPOBackupAndReports.ps1

    SYNOPSIS
    Creates a Backup and Reports for all Group Policies in the current Active Directory domain.

    SYNTAX
    C:\PSScript\Get-GPOBackupAndReports.ps1 [-ADDomain <String>] [-ComputerName <String>] [-Folder <String>] [-Dev] [-ScriptInfo] [-Log] [<CommonParameters>]

    C:\PSScript\Get-GPOBackupAndReports.ps1 [-ADDomain <String>] [-ComputerName <String>] [-Folder <String>] -SmtpServer <String> [-SmtpPort <Int32>] [-UseSSL] -From <String> -To <String> [-Dev] [-ScriptInfo] [-Log] [<CommonParameters>]

    DESCRIPTION
    Creates a Backup and HTML and XML Reports for all Group Policies in the current Active Directory domain.

    This Script requires at least PowerShell version 3 but runs best in version 5.

    This script requires at least one domain controller running Windows Server 2008 R2.

    This script outputs Text, XML and HTML files.

    You do NOT have to run this script on a domain controller, and it is best if you didn’t.

    This script was developed and run from a Windows 10 domain-joined VM.

    This script requires Domain Admin rights and an elevated PowerShell session.

    To run the script from a workstation, RSAT is required.

    Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)

    Remote Server Administration Tools for Windows 8

    Remote Server Administration Tools for Windows 8.1

    Remote Server Administration Tools for Windows 10

    PARAMETERS
    -ADDomain <String>
    Specifies an Active Directory domain object by providing one of the following
    property values. The identifier in parentheses is the LDAP display name for the attribute. All values are for the domainDNS object that represents the domain.

    Distinguished Name

    Example: DC=tullahoma,DC=corp,DC=labaddomain,DC=com

    GUID (objectGUID)

    Example: b9fa5fbd-4334-4a98-85f1-3a3a44069fc6

    Security Identifier (objectSid)

    Example: S-1-5-21-3643273344-1505409314-3732760578

    DNS domain name

    Example: tullahoma.corp.labaddomain.com

    NetBIOS domain name

    Example: Tullahoma

    Default value is $Env:USERDNSDOMAIN

    Required? false
    Position? named
    Default value $Env:USERDNSDOMAIN
    Accept pipeline input? false
    Accept wildcard characters? false

    -ComputerName <String>
    Specifies which domain controller to use to run the script against.
    ComputerName can be entered as the NetBIOS name, FQDN, localhost or IP Address.
    If entered as localhost, the actual computer name is determined and used.
    If entered as an IP address, an attempt is made to determine and use the actual computer name.

    This parameter has an alias of ServerName.
    Default value is $Env:USERDNSDOMAIN

    Required? false
    Position? named
    Default value $Env:USERDNSDOMAIN
    Accept pipeline input? false
    Accept wildcard characters? false

    -Folder <String>
    Specifies the optional output folder to save the output report.

    The folder specified must already exist.

    Required? false
    Position? named
    Default value
    Accept pipeline input? false
    Accept wildcard characters? false

    -SmtpServer <String>
    Specifies the optional email server to send the output report.

    Required? true
    Position? named
    Default value
    Accept pipeline input? false
    Accept wildcard characters? false

    -SmtpPort <Int32>
    Specifies the SMTP port.
    The default is 25.

    Required? false
    Position? named
    Default value 25
    Accept pipeline input? false
    Accept wildcard characters? false

    -UseSSL [<SwitchParameter>]
    Specifies whether to use SSL for the SmtpServer.
    The default is False.

    Required? false
    Position? named
    Default value False
    Accept pipeline input? false
    Accept wildcard characters? false

    -From <String>
    Specifies the username for the From email address.
    If SmtpServer is used, this is a required parameter.

    Required? true
    Position? named
    Default value
    Accept pipeline input? false
    Accept wildcard characters? false

    -To <String>
    Specifies the username for the To email address.
    If SmtpServer is used, this is a required parameter.

    Required? true
    Position? named
    Default value
    Accept pipeline input? false
    Accept wildcard characters? false

    -Dev [<SwitchParameter>]
    Clears errors at the beginning of the script.
    Outputs all errors to a text file at the end of the script.

    This is used when the script developer requests more troubleshooting data.
    The text file is placed in the same folder from where the script is run.

    This parameter is disabled by default.

    Required? false
    Position? named
    Default value False
    Accept pipeline input? false
    Accept wildcard characters? false

    -ScriptInfo [<SwitchParameter>]
    Outputs information about the script to a text file.
    The text file is placed in the same folder from where the script is run.

    This parameter is disabled by default.
    This parameter has an alias of SI.

    Required? false
    Position? named
    Default value False
    Accept pipeline input? false
    Accept wildcard characters? false

    -Log [<SwitchParameter>]
    Generates a log file for troubleshooting.

    Required? false
    Position? named
    Default value False
    Accept pipeline input? false
    Accept wildcard characters? false

    <CommonParameters>
    This cmdlet supports the common parameters: Verbose, Debug,
    ErrorAction, ErrorVariable, WarningAction, WarningVariable,
    OutBuffer, PipelineVariable, and OutVariable. For more information, see
    about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).

    INPUTS
    None. You cannot pipe objects to this script.

    OUTPUTS
    No objects are output from this script.

    NOTES

    NAME: Get-GPOBackupAndReports.ps1
    VERSION: 1.00
    AUTHOR: Carl Webster, Sr. Solutions Architect, Choice Solutions, LLC
    LASTEDIT: May 1, 2018

    ————————– EXAMPLE 1 ————————–

    PS C:\PSScript >.\Get-GPOBackupAndReports.ps1

    ComputerName = $Env:USERDNSDOMAIN
    ADDomain = $Env:USERDNSDOMAIN
    Folder = $pwd

    ————————– EXAMPLE 2 ————————–

    PS C:\PSScript >.\Get-GPOBackupAndReports.ps1 -ComputerName PDCeDC

    ComputerName = PDCeDC
    ADDomain = $Env:USERDNSDOMAIN
    Folder = $pwd

    ————————– EXAMPLE 3 ————————–

    PS C:\PSScript >.\Get-GPOBackupAndReports.ps1 -ComputerName ChildPDCeDC -ADDomain ChildDomain.com

    Assuming the script is run from the parent domain.
    ComputerName = ChildPDCeDC
    ADDomain = ChildDomain.com
    Folder = $pwd

    ————————– EXAMPLE 4 ————————–

    PS C:\PSScript >.\Get-GPOBackupAndReports.ps1 -ComputerName ChildPDCeDC -ADDomain ChildDomain.com -Folder c:\GPOReports

    Assuming the script is run from the parent domain.
    ComputerName = ChildPDCeDC
    ADDomain = ChildDomain.com
    Folder = C:\GPOReports (C:\GPOReports must already exist)

    ————————– EXAMPLE 5 ————————–

    PS C:\PSScript >.\Get-GPOBackupAndReports.ps1 -SmtpServer mail.domain.tld -From XDAdmin@domain.tld -To ITGroup@domain.tld

    The script will use the email server mail.domain.tld, sending from XDAdmin@domain.tld, sending to ITGroup@domain.tld.

    The script will use the default SMTP port 25 and will not use SSL.

    If the current user’s credentials are not valid to send email,
    the user will be prompted to enter valid credentials.

    ————————– EXAMPLE 6 ————————–

    PS C:\PSScript >.\Get-GPOBackupAndReports.ps1 -SmtpServer smtp.office365.com -SmtpPort 587 -UseSSL -From Webster@CarlWebster.com -To ITGroup@CarlWebster.com

    The script will use the email server smtp.office365.com on port 587 using SSL, sending from webster@carlwebster.com, sending to ITGroup@carlwebster.com.

    If the current user’s credentials are not valid to send email,
    the user will be prompted to enter valid credentials.

    RELATED LINKS

    You can always find the most current script by going to https://carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

    Thanks

    Webster

    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    to “Get-GPOBackupAndReports PowerShell Script V1.00”

    1. Prashant Says:

      Hi,

      When I run the script in elevated session, I get the below error:
      GetGpoBackupAndReports : Backup was not successful. Script will now end.
      At E:\scripts\Repository\Carl-Webster\AllCurrentScriptFiles\Get-GPOBackupAndReports.ps1:765 char:1
      + GetGpoBackupAndReports
      + ~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
      + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,GetGpoBackupAndReports

      How to resolve this?

      Reply

      • Carl Webster Says:

        I will update the script to show the list of GPOs being backed up. You probably have a bad/corrupt GPO or a GPO where the permissions are messed up.

        Webster

        Reply

    Leave a Reply