PowerShell Script: find GPO by policy.

Have you ever found yourself looking for that one GPO that does that one thing and you can’t find it in the sea of GPOs in your organization?

In the latest zero logon vulnerability on the Active Directory infrastructure (CVE-2020–1472), I had to find all the GPOs that contain the next 3 policies:

• Domain member: Digitally encrypt or sign secure channel data (always)
• Domain member: Digitally encrypt secure channel data (when possible)
• Domain member: Digitally sign secure channel data (when possible)

So I wrote this script that find any GPO that disables any of those polices.

Let’s explain what we see here:

The script gets all the GPOs and generates XML for each of them.

Next it will search for the policy name and if its disabled.

Eventually it will print all the GPOs names that contain those disabled policies.

I hope you will find this script useful.