GPO - Searching for a string in backed up GPO files

Housekeeping abandoned

GPOs or Group Policy Objects can be unwieldy at the best of times. I walked into an organisation and was landed in the middle of a quagmire of chaos with over a thousand GPOs, some first created over 16 years ago.

There is no guessing that basic housekeeping was the furthest from the mind of the administrators of that estate, an Aegean stable of egregious compromise and mismanagement awaits, but what to do?

Get an understanding of what has been done, and work to give a form of sanity to the infrastructure with the view to an eventual cleanup and the preparation of ingesting the best parts of this setup into EntraID. It would seem like a pipedream.

Just the shock, I decided to backup all the GPOs, which took just under 7 hours. Now that I had a backup, it would be easier to search the GPReport.XML files in my backup folder for historical information than to search the live environment.

ChatGPT does the heavylifting

So, I offered ChatGPT-4 an extensive prompt of requirements to read the files, find the string, and output the result to a CSV file, but also just because the GPO might be linked to several containers, Domain level or OUs, there is a separate output file for if the GPO is linked.

I guess, manipulating an XML file can be fun to extract the information you need, but this is not about XML gymnastics, just getting useful information out of GPOs.

The Code:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75

<# ==================================================================================== Created with: ChatGPT-4 and PowerShell ISE Created on: 03/05/2024 00:46 AM Curated by: Akin Akintayo Filename: Search-StringInGPOXML.ps1 ------------------------------------------------------------------------------------ Purpose: This is created as a time-saving script to search through backed-up GPOs in a folder specified for a string and output first to a CSV file, all occurrences of the string and in a separate LinksTo file list all the links to the GPO ==================================================================================== #> # Define the path to the directory containing GPO backups $BackupDirectory = "C:\Repository\GPO\GPOBackup\Backup-02-05-2024" # Define the output path for the CSV file $OutputPath = "C:\Repository\GPO\GPResults" # Prompt for the search string $searchString = Read-Host "Please enter the string to search for" # Create a filename for the CSV based on the current date and the search string $UniqueFile = "$(Get-Date -Format 'yy-MMM-dd-HH-mm-ss')-$($searchString -replace ' ', '')" $csvFileName = "$($UniqueFile)-GPOReport.csv" $csvFileFullPath = Join-Path $OutputPath $csvFileName $LinkInfoFilename = "$($UniqueFile)-LinksTo.Log" $LinksToFullPath = Join-Path $OutputPath $LinkInfoFilename # Import the GroupPolicy module Import-Module GroupPolicy # Get all GPReport.xml files from the specified directory $xmlFiles = Get-ChildItem -Path $BackupDirectory -Filter "GPReport.xml" -Recurse -Depth 1 # Prepare an array to hold the results $results = @() # Loop through each XML file to search for the specified string foreach ($file in $xmlFiles) { # Load the XML content [xml]$xmlContent = Get-Content -Path $file.FullName # Check if the XML content contains the search string if ($xmlContent.OuterXml.Contains($searchString)) { # Extract GPO details # $gpoDetails = Get-GPO -Guid $xmlContent.GPO.Identifier -All # Create a custom object to hold the necessary details $result = [PSCustomObject]@{ Name = $xmlContent.GPO.Name GUID = $xmlContent.GPO.Identifier.Identifier.'#text' Linked = $xmlContent.GPO.LinksTo.Enabled GPOFolder = $file.Directory.Name } If ($xmlContent.GPO.LinksTo.Enabled) { "$($xmlContent.GPO.Name) `n`n $($xmlContent.GPO.LinksTo.SOMPath)`n`n`n`n" | Out-File -FilePath $LinksToFullPath -Append -Width 200 } # Add the custom object to the results array $results += $result } } # Export the results to a CSV file $results | Export-Csv -Path $csvFileFullPath -NoTypeInformation # Output the name of the CSV file created Write-Host "CSV file created: $csvFileFullPath"

Customer support done so badly

I asked for help

I relate below a totally failed customer support activity that I requested from my DNS provider on Friday, because I was frustrated by their inertia, their exacerbation of the problem, and as a result, it put my week out that it is taking some time to get back on an even keel.

I logged a support ticket because a change the firm had done on the backend took away the presentation of my corporate Blogger website using a domain name, they had provided me. The change was implemented in mid-March, but I just did not seem to have the time to address it, so I removed all references to my corporate website on all published material until I could properly review the issue.

Asking with clear concerns

My support ticket was written thus:

I had my company blog at http://www.forakin.com/ which is a redirection for http://forakin.blogspot.com for years until a change was made to your back-end systems.

Since that change, anytime I visit my blog, I get the following error:

Welcome to www.forakin.com, a site recently created using our clustered Linux web hosting. If you’re seeing this page instead of your website, please replace or remove the default index.php from your public_html directory. (Screenshot attached.)

I have no idea what to do here because I did not have to create an index.php file when I created my website and the redirection from here, I believe it is a file in the TSOHost environment which I did find but still could not resolve the issue.

Note: Also, I use forakin.com as my Microsoft Azure domain with my email managed within Azure / Microsoft 365 and cannot afford for any changes to the domain to affect my email services.

Expectation: How do I get my Google Blogger website to show again when referenced as forakin.com?

The error I reported.

Think like your customer

The error I was getting when I visited my website, I could not fix even after I accessed the said file on the hosting service portal, this apart from the fact that I did nothing in Linux or with the service provider apart from entering a few DNS records to redirect my custom domain to my blog.

Fundamentally, the change had no guidance for users who do not normally tinker with Linux and all I wanted was for this issue to be fixed.

However, despite the narrative of my issue, the note attached was quite particular, whilst I wanted a problem solved, I had a core dependency on that domain name, the business email that I could not afford to lose, and I clearly stated that I do not want any changes made that would affect my email service.

Despite my expectation of a resolution, my thinking was my note would stay paramount in the mind of whoever took up the issue to help resolve it. I was wrong.

This matter goes to the heart of understanding what it is to give customer support in the Information Technology and Computing world. It is not enough to understand and comprehend the problem being stated with the wherewithal to resolve the issue. Much as a customer will have expectations, once a concern or requirement is raised, nothing whatsoever should be done to impair the quality of service the customer is trying to retain as the issue is being resolved.

A fix or a fudge?

On Saturday morning, I received an update from a customer support person, and this is what he said:

Thank you for getting in touch on that matter!

I checked your account, and it seems like the problem was coming from the DNS conflict, I fixed it, but could you clarify from where should the website load from?

Could you please confirm where you host your emails because it currently shows they are with Outlook?

If you have any further questions or concerns, we will remain available.

There is a lot in this response that might not be seen without carefully reading it. He said, “I fixed it.” No, it was not fixed, and his assessment that it was a DNS conflict was strange because no changes had been done to my custom DNS records for well over a year, and everything website and email was working until the change in mid-March when I lost access to my website.

I already stated where I was loading my website from in my support ticket, all he had to do was click on both URLs to see what results. He had somewhat attempted a quick fix, with no attention to detail or verification of the consequence of his action.

Indeed, my emails were hosted with Outlook, he would have seen the DNS records indicating that and that service was what I expressly said should not be affected by what they do.

Like I said, my website was not working after the fix, rather it was showing another error. However, what also happened was I was no longer able to receive emails on my business email account. Much as I was able to send from it with my email client, no emails were received.

Hey! I’ve lost my email service

I updated my support ticket with my new observations and concerns, this time asking that they either revert what was done or resolve everything and particularly the email service that was lost.

Another customer support agent, instead of reading what I had written, responded on Monday morning:

In terms for the emails related to forakin.com, you need to contact Microsoft as they are the email providers and not us.

They should be able to assist you a lot further into this as they will see any errors that appear.

If you need further assistance, feel free to contact us.

Not our problem, dear

Well, no, I do not need to contact Microsoft when in fact it is what your customer support agent did that lost me the email service. I was incandescent with rage but had to keep my cool as I tried to assess the situation.

I visited the Microsoft 365 portal to check my domain configuration and what I could see on the Microsoft end was that it was expecting to read some DNS records from my DNS hosting provider, and it was getting something else. Their assessment of the issue was that some DNS entries were wrong.

Therefore, if a member of staff with my DNS hosting provider was tinkering with settings on my account and fixing a DNS conflict that until I received the first response was working, the responsibility for the issue lay with my DNS hosting provider, but what I was met with was lethargy, inertia, and a total lack of consideration. It was in all terms a total failure of change management and customer support.

Maybe it’s just the culture there

This was further complicated by the fact that no one could determine what the supposed DNS conflict was nor was there any documentation of exactly what was done that could be reverted.

The culture in the organisation was becoming evident.

1. A lack of controls in the organisation that documents or considers customer engagement, apart from the fact that they had withdrawn telephone support for either live chat or support ticket registration.
2. A lack of attention to detail where customer concerns are paramount, requiring the customer to be first informed of the consequences of any action to be taken before the action is implemented
3. A poor grasp of comprehending and reading up on all the material and communication between the customer and any agent before acting or responding.
4. No proper escalation processes where a poorly executed activity can be reviewed and remediation towards reversion or forward resolution.
5. A tendency to engage in back-and-forth communication without any sense of responsibility for their actions.
6. Any absence of enduring team cohesion that allows other agents to know what one agent has done, especially, when that action has caused other issues.
7. In fact, I did also write to the head of the organisation about my issue, well, they just pay lip service to customer service and enablement, but the reality is far from the intentions expressed.

I provided additional information with screenshots and data that needed to be entered in my custom DNS records table, even though from my perspective on the DNS provider’s portal, everything seemed correct.

However, I could not persuade my DNS provider’s agents to enter these DNS records, they all were requiring me to clean up after the mess that one of their agents had created by totally ignoring my note.

By Tuesday morning, it became evident that whatever I was trying to do on the DNS provider’s portal was not working. This might have been because that part of the portal even though it was displaying my changes was not saving the same changes.

For all that time, Microsoft 365 was indicating to me that no changes were being observed from the entries on my DNS provider’s side to match the entries it was expecting.

Not all rotten apples

Eventually, I initiated a new Live Chat session where the very helpful agent said the DNS records were propagating, but when I checked, they were not the expected DNS records. I was then able to persuade the agent to enter the 5 records needed to restore my email service and device registration service in Microsoft Endpoint Manager.

Once those were done on Tuesday afternoon, my email service was restored and by then I was no more interested to getting my corporate website back up on forakin.com, I could not go through another ordeal like that, I began the process of moving my corporate website to forakin.org that is hosted by another DNS provider.

Now that I think of it, I might well consider moving forakin.com to this other DNS provider.

It was all unnecessary

It must be said, this issue could have been resolved on Monday morning if any of the customer support team cared. I provided them with the full details of the DNS records that needed to be entered to be matched to what Microsoft 365 was expecting and each time, rather than act, they asked me to do it myself.

A few hours after my email service was restored, I got another update on my support ticket asking for the DNS entries I had already provided and this was after the update that the issue had been resolved. What did I say earlier, they do not read the full thread of communication before they act, it is appalling.

This time I had to update the subject and state as the first line in my response, “Please, close this ticket.” After which I explained why it should be closed. It is evident that if an organisation cannot take responsibility for the actions they have undertaken, it is quite unnecessary waiting for an apology from them.

It is my hope that customer service in that organisation improves, however, if I have to face another technical support situation, I will rather take my custom elsewhere. No one should ever have to face the level of ineptitude I experience, and this is the case with someone who has been in the industry for over 3 decades. I hate to think of what people who have no IT experience have to face, it just does not bear thinking of.

Personal website

Business website – I hope to start putting more up there.

Constantly learning to improve oneself

Experience under review

When I tell people in my professional circle that I have been working with Microsoft System Management Server (SMS) since 1996 with version 1.1, it is neither to intimidate nor to show off, but I hope it comes with a sense of authority that I have an idea of what I am talking about. This knowledge has defined the majority of my professional career.

Experience is a good thing and the SMS we knew then has gone through many name changes and version iterations, features added on, deprecated, evolving and maybe even transmogrifying into a monster of client, user, device, application, and data management proportions.

It became System Center Configuration Manager which we termed SCCM that the professionals called ConfigMgr, then last year, the name changed to Endpoint Configuration Manager, but we have the acronym MEMCM to play with. No questions to that apart from the fact that our Microsoft development and support backchannels prefer it that way and on Twitter, that is the hashtag they will respond too. [Wikipedia: Microsoft System Center Configuration Manager]

Exchanging ideas for improvement

We have a large and active community of administrators and architects who not only share ideas, solutions, and tips, we are also the best innovation resource for getting features implemented in the product, some of which I have contributed to going back over 15 years.

That I know how the product works does not mean I am the apostle of product functionality or technology, I am constantly looking for new ideas and perspectives, scenarios others have encountered that they have applied novel solutions to and shared with our community.

I have a test lab at home running on an extensive setup of virtual machines on which I try out ideas and gain conversance with the new features. Nothing works as good as having an issue at work and me logging on to my home network to check things out either to affirm or dispute issues.

Going back to the roots

Yet, more pertinently is the need for someone with my experience to find time to go back over the fundamentals and the essentials. It is important to never assume that the primers or introductions cannot contain new and useful information to help reinforce or finally, debunk a premise that was getting the prominence of gospel truth until the times and changes obviated that assertion.

For my weekend reading, I found a 346-page manual of how to setup MEMCM from scratch, I know a lot of it, and I and still learn much more, I am open to new knowledge that would give my expertise more heft. The job of learning never ends and like I sometimes say, that is a good thing.