Remove Default Computer OU from Group Policy Organization Units Report #30
Comments
|
There is a reason why there are exclusions in place. It may or may not be what you want in output. $OUs = Get-GPOZaurrOrganizationalUnit
$Ous | Format-Table
Get-GPOZaurrOrganizationalUnit -Verbose -Option Unlink -Exclusions @(
'OU=Groups,OU=Production,DC=ad,DC=evotec,DC=pl'
) | Format-Table
Get-GPOZaurrOrganizationalUnit -Verbose -ExcludeOrganizationalUnit @(
'*,OU=Production,DC=ad,DC=evotec,DC=pl'
) | Format-Table
Invoke-GPOZaurr -Type GPOOrganizationalUnit -Online -FilePath $PSScriptRoot\Reports\GPOZaurrOU.html -Exclusions @(
'*OU=Production,DC=ad,DC=evotec,DC=pl'
'*OU=Accounts,OU=Administration,DC=ad,DC=evotec,DC=xyz'
)I guess I could mark that OU excluded by default. As for the 2nd problem - are you sure? The GPOList report doesn't check if there are computers/users in the OU. It checks only for links, and it does this forest-wide. It doesn't care if it's empty OU or not. Maybe it's linked but the link is not enabled, which we treat as non-working.
Works fine for me:
Test-GPO-3, Test-GPO-4 are linked, but link disabled. Test-GPO-1, and Test-GPO2 are linked and link enabled. |
|
On the second issue, sorry, yes you are correct. The link was disabled. Apologies as we almost never disable, just unlink. As for the original issue, I didn't realize exclusions were possible. However, after reviewing the documentation in the My suggestion is merely, by default, to not consider it a problem in the "Group Policy Organizational Units" report that there is an empty OU with GPOs as long as it is the default OU for new computers joining the domain. |
|
Ye, i'll add it for both computers and users, as this is a common scenario for both. Docs is built on comment based help. Most of the effort is put into the HTML or to examples. In case of adding an exclusion the report marks the Status column as Excluded.
Basically a summary changes, HTML table shows this, and also "fix" code shows up those exclusions to be used if someone would like to unlink those GPOs. |
|
Now that I think on excluding by default redirected OU's... it's a question what should be excluded. Direct OU, or subou's as well. Depending on how someone organized their OU's i guess the safest bet is to just exclude the redirected OU and leave others as they were for subject to deletion or manual exclusion.
|
When you redirect the default container for new computers to the domain to an OU (which can have GPO assigned to it) using the REDIRCMP command, you may have a perfectly useful OU with GPOs attached to it, but may be empty. Many organizations might find it helpful to have a staging OU that all computers are joined to initially, so group policy is applied, and then they are moved to another OU, either automatically or manually.
We do this and in the "Group Policy Organizational Units" tab/report, this OU shows up because it is empty but has GPOs applied to it.
I would recommend checking the value of
Get-ADDomain | Select ComputersContainerand ignoring this OU (if it is an OU), if there are GPOs assigned but no computers. Right now, the suggestion is that I should unlink GPOs and delete the OU because there are no computers within, but in my case that is definitely not what I want to do.Edit: Additionally, I am now noticing that in the "Group Policy Summary" tab, it is telling me that there are GPOs that are unlinked, which are in fact linked to the empty staging/default OU. I'd recommend flagging those GPOs links as active links due to linking to the default computer container/OU.
The text was updated successfully, but these errors were encountered: