PowerShell - Check the GPO Replication accross your domain

A couple of days ago we had to troubleshoot some SYSVOL replication issues throughout the domain. I wanted to check the version of the GPO that was modified recently and make sure it was replicated on all the Domain Controllers.

I created a small function called Get-ADGPOReplication to easily compare the versions of each Group Policy Objects (User and Computer Configurations) on each Domain Controllers in the Domain.

Get-ADGPOReplication sent to Out-Gridview

Retrieving the GPO Version and SysVol Version

As you probably know, you'll find 2 types of configurations inside each GPO: User and Computer.
The Cmdlet Get-GPO (From the module GroupPolicy) give us some great details on the versions number and the SysVol versions of those configurations.

Get-GPO -Name AZE_Test

From this output, we can notice the properties UserVersion and ComputerVersion that give information about the GPO Version and SysVol Version. Those properties which are generated and available in the default view won't show if you look at all the properties/methods available (using Get-Member).

You'll have to dig into the property Computer and User to get the versions details.

Get-GPO -Name AZE_Test | Get-Member

(Get-GPO -Name AZE_Test).Computer | Get-Member

You need to inspect the property Computer to finally find the versions information.

(Get-GPO -Name AZE_Test).Computer

Same information is available for the User Configuration.

Function Get-ADGPOReplication

Get-ADGPOReplication is retrieving the GPO version and Sysvol version accross the domain for one or more Group Policy objects. This can especially helps you troubleshooting replication issues.

This small function is taking advantage of the module ActiveDirectory to retrieve the list of all Domain Controllers and the module GroupPolicy to query one or more Group Policy objects.

For each GPO, It will then retrieve the version of the User/Computer configurations and the Sysvol Version.

Getting the list of Domain Controllers
$DomainControllers = ((Get-ADDomainController -filter *).hostname)

Processing each Group Policy Object, against each Domain controllers
Foreach ($GPOItem in $GPOName)
    $GPO = Get-GPO -Name $GPOItem -Server $DomainController -ErrorAction Stop
    [pscustomobject][ordered] @{
        GroupPolicyName = $GPOItem
        DomainController = $DomainController
        UserVersion = $GPO.User.DSVersion
        UserSysVolVersion = $GPO.User.SysvolVersion
        ComputerVersion = $GPO.Computer.DSVersion
        ComputerSysVolVersion = $GPO.Computer.SysvolVersion
}#Foreach ($GPOItem in $GPOName)

Here is the output you should expect

Using the function against one GPO:
Get-ADGPOReplication -GPOName "AZE_Test"
Using the function against multiple GPO:
Get-ADGPOReplication -GPOName "AZE_Test", "AZE_Test2"
Using the function against All GPO:
Get-ADGPOReplication -All
Optionally you can send the output to Out-Gridview which will give you a very nice view on all your GPO versions.
Get-ADGPOReplication -GPOName AZE_Test | Out-GridView -Title "AZE_Test $(Get-Date)"

Download on GitHub
Download on Technet Gallery

Thanks for reading! If you have any questions, leave a comment or send me an email at fxcat@lazywinadmin.com. I invite you to follow me on Twitter @lazywinadm / Google+ / LinkedIn. You can also follow the LazyWinAdmin Blog on Facebook Page and Google+ Page.

1 comment: