Script to extract all GPOs that a specific User, Group or Computer either have or doesnt have rights to

If you ever need to provide information about which GPO’s a specific User, Group or Computer have or doesnt have access to you can use this script.

The script will run through all GPO’s in the domain and check if a given User, Group or Computer either have or havent been delegated permissons. The script will produce a text file listing all GPO’s including detailed information about linkpaths, WMI Filters, Modify Dates, if its link or not and much more.

All you have to do is supply 3 parameters

  • TargetName – Name of the target (ie. Authenticated Users)
  • TargetType – Type of the target (Group, User or Computer)
  • hasPermissions – Boolean to specify if you want to find all the GPO’s that the target has permissions to (True) or does not have permissons to (False)


This will list all the GPO’s which the Group “Authenticated Users” doesnt have access to.

Get-GPOPermissionReport -TargetName “Authenticated Users” -TargetType Group -hasPermission -$False