FindGPOsWithNoSecurityFiltering.wsf (3317B)
1 ///////////////////////////////////////////////////////////////// 2 // Copyright (c) Microsoft Corporation. All rights reserved 3 // 4 // Title: FindGPOsWithNoSecurityFiltering.wsf 5 // Author: mtreit@microsoft.com 6 // Created: 10/28/2001 7 // Purpose: Finds any GPOs in the specified domain 8 // that do not apply to anyone because 9 // no apply rights are set on the GPO 10 ///////////////////////////////////////////////////////////////// 11 12 /////////////////////////////////////// 13 // Initialization 14 /////////////////////////////////////// 15 <job> 16 17 // Include necessary libraries 18 <script language="JScript" src="Lib_CommonGPMCFunctions.js"/> 19 20 <script language="JScript"> 21 22 // Create global objects for use by the rest of the script 23 var GPM = new ActiveXObject("GPMgmt.GPM"); 24 var Constants = GPM.GetConstants(); 25 26 /////////////////////////////////////// 27 // Main script 28 /////////////////////////////////////// 29 30 // Handle command line arguments 31 var ArgumentList = ProcessCommandLineArguments(WScript.Arguments); 32 var szDomainName = ArgumentList.Item("Domain"); 33 34 // Initialize the Domain object 35 var GPMDomain = GPM.GetDomain(szDomainName, "", Constants.UseAnyDC); 36 37 // Set the permission we are going to look for 38 perm = Constants.PermGPOApply; 39 40 // Get a collection with all GPOs in the domain 41 var GPMSearchCriteria = GPM.CreateSearchCriteria(); 42 var GPOList = GPMDomain.SearchGPOs(GPMSearchCriteria); 43 44 WScript.Echo("GPOs in " + szDomainName + " that are missing 'Apply' rights:\n"); 45 46 // Loop through each GPO and check the permissions 47 var e = new Enumerator(GPOList); 48 var GPO, SecInfo, e2, GPMPermission, bFoundPerm; 49 50 for (; !e.atEnd(); e.moveNext()) 51 { 52 GPO = e.item(); 53 bFoundPerm = false; 54 SecInfo = GPO.GetSecurityInfo(); 55 e2 = new Enumerator(SecInfo) 56 57 for (; !e2.atEnd(); e2.moveNext()) 58 { 59 GPMPermission = e2.item(); 60 if (GPMPermission.Permission == perm) 61 { 62 bFoundPerm = true; 63 } 64 } 65 66 // If the permission was not found, print out the GPO name 67 if (bFoundPerm == false) 68 { 69 WScript.Echo(GPO.ID + " - " + GPO.DisplayName); 70 } 71 } 72 73 74 /////////////////////////////////////// 75 // Function Definitions 76 /////////////////////////////////////// 77 78 // Takes a WScript.Arguments object and returns a dictionary object 79 // containing the named arguments and values that were passed in 80 // 81 function ProcessCommandLineArguments(Arguments) 82 { 83 var szDomainName = ""; 84 85 // Check if this is cscript. If not, print an error and bail out 86 if (WScript.FullName.toLowerCase().search("wscript") > 0) 87 { 88 WScript.Echo("You must use cscript.exe to execute this script."); 89 WScript.Quit(); 90 } 91 92 var Result = new ActiveXObject("Scripting.Dictionary"); 93 94 if (Arguments.Named.Exists("Domain")) 95 { 96 szDomainName = Arguments.Named("Domain"); 97 } 98 99 // Get the current domain if none was specified 100 if (szDomainName == "") 101 { 102 szDomainName = GetDNSDomainForCurrentUser(); 103 } 104 105 Result.add("Domain", szDomainName); 106 107 return Result; 108 } 109 110 </script> 111 112 <!-- Usage and command line argument information --> 113 <runtime> 114 115 <description> 116 Prints a list of all GPOs in the domain that do not have any 'apply' permissions set. 117 These are GPOs that exist but will not actually apply to anyone. 118 </description> 119 120 <named name="Domain" helpstring="DNS name of domain" type="string" required="false" /> 121 122 <example> 123 Example: FindGPOsWithNoSecurityFiltering.wsf 124 </example> 125 126 </runtime> 127 128 </job>