The below script can be used to go query your GPO’s and find empty sections (computer or user), and disable them. This improves the speed of processing GPOs as machines will not look to disabled sections.

This was a recommendation from Microsoft during a recent RAP as a service that I consulted on.

Get-gpo -all | foreach {


    [xml]$GPOAsXML = Get-GPOReport -Guid (Get-GPO -Name $_.DisplayName).Id -ReportType Xml

    If(($GPOAsXML.DocumentElement.Computer.Enabled -eq $true) -and ($GPOAsXML.DocumentElement.Computer.InnerText.Length -eq 6))
    {
        (Get-GPO -Name $_.DisplayName).gpostatus = "ComputerSettingsDisabled"
        $_.DisplayName.ToString().PadRight(60) + " Computer section now disabled!"
        
    }
   
    If(($GPOAsXML.DocumentElement.User.Enabled -eq $true) -and ($GPOAsXML.DocumentElement.User.InnerText.Length -eq 6))
    {
        (Get-GPO -Name $_.DisplayName).gpostatus = "UserSettingsDisabled"
        $_.DisplayName.ToString().PadRight(60) + " User section now disabled!"
    }
   
}

Leave a Reply

Your email address will not be published. Required fields are marked *