Pour faire suite au précédent articles Powershell : Who's the owner of my AD objects et Powershell : Change the owner of my AD objects voici comment trouver les GPO dont le propriétaire n'est pas "Domain Admins" et les modifier.
# Get Domain
$Domain = Get-ADDomain | select -ExpandProperty NetBIOSName
# Get all GPO
$AllGPO = Get-GPO -All
$AllADGPO = Get-ADObject -Filter {(ObjectClass -eq "groupPolicyContainer")} -Properties displayName
# Filter GPO that are not owned by Domain Admins
$NoGood = $AllGPO.Where({$_.owner -ne "$Domain\Domain Admins"})
# Change owner of all invalid GPO
$NoGood | select -First 1 | foreach {
$DisplayName = $_.DisplayName
$Id = $_.ID
$Guid = $Id.Guid
$CurrentGpo = $AllADGPO.Where({$_.DisplayName -eq $DisplayName})
Write-Host $CurrentGpo
Write-Host $DisplayName -ForegroundColor Magenta
$adsiTarget = [adsi]"LDAP://$($CurrentGpo.DistinguishedName)"
$idRef = New-Object System.Security.Principal.NTAccount("$Domain", "Domain Admins")
$adsiTarget.PSBase.ObjectSecurity.SetOwner($idRef)
$adsiTarget.PSBase.CommitChanges()
$DisplayName = $null
$Id = $null
}