GPO Enforcement only looking at OU linked GPOs

[kennyparsons]

Bug description

The GPO enforcement check considers only GPOs linked to an OU. It does not consider GPOs linked at the root level. This is found in Get-AbrADGPO.ps1

if ($OUs) {
     foreach ($OU in $OUs) {
         try {
             $GpoEnforced = Invoke-Command -Session $TempPssSession -ScriptBlock { Get-GPInheritance -Domain $using:Domain -Server $using:DC -Target ($using:OU).DistinguishedName | Select-Object -ExpandProperty GpoLinks }
...truncated

When run in an environment with GPOs assigned to the root, only GPOs assigned to an OU are found, because it's only looking for GPOs assigned to an OU.

Instead, this enforcement check should be run for all GPOs, regardless of where it is linked.

Here is a quick POC I had to run to get this info in my analysis:

function Is-GpoEnforced {
    param (
        [string]$GpoName
    )

    try {
        # Get the specific GPO by name
        $gpo = Get-GPO -Name $GpoName

        # Generate a report in XML format for the GPO
        $reportXml = Get-GPOReport -Guid $gpo.Id -ReportType Xml

        # Convert the XML report into an XML object
        $xmlObj = [xml]$reportXml

        # Check the NoOverride (enforcement) status of the GPO links
        foreach ($link in $xmlObj.GPO.LinksTo) {
            if ($link.NoOverride -eq "true") {
            	Write-Host "$GpoName is enforced"
                return $true
            }
        }

        return $false
    }
    catch {
        Write-Warning "Error processing GPO: $GpoName. Error: $_"
        return $false
    }
}

# Get all GPOs in the domain
$allGPOs = Get-GPO -All

# Create an empty array to hold enforced GPOs
$enforcedGPOs = @()

# Check each GPO for enforcement
foreach ($gpo in $allGPOs) {
    if (Is-GpoEnforced -GpoName $gpo.DisplayName) {
        $enforcedGPOs += $gpo.DisplayName
    }
}

# Output the enforced GPOs as a table
$enforcedGPOs | Format-Table -Property @{Label="Enforced GPOs"; Expression={$_}}

First start by getting all GPOs, loop over them to get the xml report, which contains more information than just the enforcement, such as links. To get the enforcement status, use the xml key "NoOverride" in the links section of the xml report.

This approach should ensure that all GPOs that are enforced are included, not just those linked to an OU.

Command-line input

NA

Steps to reproduce

NA to a specific run, just a bug in how the data is gathered.

Expected behaviour

ALL GPOs enforced, not just those enforced at the root

Screenshots

No response

Operating System

2019 Server

PowerShell Version

PS7

PowerShell Modules

NA

Additional Context

No response

Before submitting

• I have read and followed the bug reporting guidelines.
• I have read the documentation, and referred to the known issues before submitting this bug report.
• I have checked for previously opened & closed issues before submitting this bug report.

[rebelinux]

Fixed:

[rebelinux]

Version v0.8.0 was released with the fix for this problem, could you please upgrade and test?

Additionally I added the option to generate diagrams. Can you please test and let me know if everything works fine?