Detect GPOs with missing files and report on it

[ssg47]

WARNING: Get-XMLGPO - Reading GPO content [XXX-GPO-S-C Hardening (v10.0.1)/DomainFQDN] returned an error. This may be because of non-english language. Assesing EMPTY using old method which can report false positives. Be careful please.

In issue #10 you have seen this error in a Dutch language GPO. I am seeing it in an English language GPO.

The policy has user settings disabled and contains both Policies and Preferences. There are multiple policies but a single preference. In GPMC, it shows an error for the preference:

An unknown error occurred while data was gathered for this extension. Details: Could not find file '\\DomainControllerFQDN\sysvol\DomainFQDN\Policies\{GUIDstring}\Machine\Preferences\Registry\Registry.xml'.

I'm happy to help if you want to incorporate this in your marvellous module. Otherwise, I'm happy for you to close as a known issue.

[PrzemyslawKlys]

To me from the screenshot it seems like a broken GPO missing registry.xml file? It's why it's not able to scan it properly and asses. I guess it could be detected, as part of broken GPOs report or something.

[ssg47]

Yes, the file is missing. The error shows in the GPOReport:

<ExtensionData>
    <Error>
        <Details>Could not find file '\\DomainControllerFQDN\sysvol\DomainFQDN\Policies\{GUIDString}\Machine\Preferences\Registry\Registry.xml'.</Details>
        <Description>Errors.Extensions.GeneralError</Description>
    </Error>
    <Name>Windows Registry</Name>
</ExtensionData>

[PrzemyslawKlys]

So GPOZaurr correctly detects a problem and expects you to fix it yourself. I don't think we can do any automation here other than maybe a report for GPOs that are broken the same way. What do you think GPOZaurr should do?

[PrzemyslawKlys]

I've now created a GPO, added registry settings and went and deleted registry.xml in it. Sure enough error:

We could add GPOMissingFiles report that would detect this issues, but all in all - it's a problem we can't really solve other then, removing the GPO or trying to remove respective part so it doesn't have this entry anymore.

[ssg47]

I agree, there no automated fix. It does detect a problem but it's not in the report. I've inherited a mess - there were so many warnings when I first ran it that I missed this one. Currently, on the Group Policy Summary table, it is showing as all green but it's definitely not healthy so just a column in that table flagging that would be useful (or add it to the problem column).

I know this is a minor grumble. I was amazed when I saw the size of the module. You must be very proud of your work!

[PrzemyslawKlys]

I'll try to add another report and maybe improve the message about this when scanning. I expect people that run GPOZaurr to pay attention to any warnings. I can't put "errors" everywhere, but i'll see what we can do.

[ssg47]

That's fair enough. Thank you.

[PrzemyslawKlys]

I've created new report for that: