Find and Disable Empty GPO Sections

The below script can be used to go query your GPO’s and find empty sections (computer or user), and disable them. This improves the speed of processing GPOs as machines will not look to disabled sections.

This was a recommendation from Microsoft during a recent RAP as a service that I consulted on.

Get-gpo -all | foreach {

    [xml]$GPOAsXML = Get-GPOReport -Guid (Get-GPO -Name $_.DisplayName).Id -ReportType Xml

    If(($GPOAsXML.DocumentElement.Computer.Enabled -eq $true) -and ($GPOAsXML.DocumentElement.Computer.InnerText.Length -eq 6))
        (Get-GPO -Name $_.DisplayName).gpostatus = "ComputerSettingsDisabled"
        $_.DisplayName.ToString().PadRight(60) + " Computer section now disabled!"
    If(($GPOAsXML.DocumentElement.User.Enabled -eq $true) -and ($GPOAsXML.DocumentElement.User.InnerText.Length -eq 6))
        (Get-GPO -Name $_.DisplayName).gpostatus = "UserSettingsDisabled"
        $_.DisplayName.ToString().PadRight(60) + " User section now disabled!"

Find unlinked GPO and remove via Powershell

Working on RAP as a service in the past few weeks I have worked with Microsoft to clean up Group Polices. Below are a few of the scripts that were used and their purpose.

Find Unlinked GPOs and export to a CSV:

Import-Module GroupPolicy
function IsNotLinked($xmldata){ 
    If ($xmldata.GPO.LinksTo -eq $null) { 
        Return $true 
    Return $false 
$unlinkedGPOs = @() 
Get-GPO -All | ForEach { $gpo = $_ ; $_ | Get-GPOReport -ReportType xml | ForEach { If(IsNotLinked([xml]$_)){$unlinkedGPOs += $gpo} }} 
If ($unlinkedGPOs.Count -eq 0) { 
    "No Unlinked GPO's Found" 
    $unlinkedGPOs | Select DisplayName,ID | export-csv c:\Source\output\unlinked.csv -NoTypeInformation

I like to export to a CSV to clarify exactly what I am removing. Now to remove:

Import-csv C:\Source\Output\unlinked.csv | ForEach-Object {Remove-GPO -guid $}