1. Use GPMC GPO Backup Feature To Locate Unresolvable SIDs
Sometimes you might have GPO’s which reference SID’s which cannot be resolved. Their might be various reasons for that. Someone might have configured the GPO to reference a certain account in a setting whilst that account was deleted somewhere in time afterwards. Or like I encountered: you use GPO backups to import & export your GPO’s from a lab to an acceptance environment and you simply forget to translate some of the SIDs.
A neat trick which I found out by accident is the “Backup All…” GPO option from the Group Policy Management Console. This will try to resolve all accounts used in your GPO’s and throw a warning if there’s a problem. You could do this every now and then to keep your GPO’s squeaky clean.
2. Generate an HTML Report Of All Your GPO’s
Whenever you’re documenting your GPO’s, or you simply want to have a snapshot in time of the settings, versions, links, security, …. you can choose to create a GPO report from the GPMC. Using PowerShell however you can issue the following command to get a single-file HTML which will nicely give you all the required information. It would perhaps be a nice idea to run this monthly or even more frequently if you want to have some auditing trail as to what is changed. But if you really need this, I think AGPM will be a better fit.
Get-GPOReport -All -Domain contoso.com –Server dc01 -ReportType HTML -Path C:\Users\thomas.vuylsteke\Desktop\GPO_Report\GPO_Report.html
The following screenshot shows an example of the layout. By default everything, except the subsections of each GPO, is hidden. You can easily scroll from GPO to GPO, and I can imagine it’s very simple to edit the HTML file if you only want a subset of the policies in your report.