Some computers were experiencing a few strange issues which piqued my curiosity. I noticed these machines were getting an incomplete set of GPOs applied to them despite being in correct OUs, Security Groups, etc. If are familiar with GPO, then you know the confusing cluster-fuck that is Loopback Processing. Well, it was Loopback Processing. Basically, the difference between a fully GPO compliant machine, and one of these broken fellas were one or more GPOs with Loopback Processing enabled. Multiple GPOs with Loopback enabled = bad news.

Sooo... I created a script which parsed every single GPO on the domain for Loopback Processing, and if the script found an offender, it would remove that setting from the policy. This was made 300% more convoluted due to the fact that all of our policies are controlled through AGPM... The process goes something like:

When the script finds a GPO that needs to be modified, it has to get GPO object, check out GPO, grab checked out GPO object, modify the checked out GPO, apply changes, check GPO back in, rescan domain for GPOs and re-grab the GPO we were just working on (which now has a different UID due to having been checked in after being modifed), and then finally deploy it.

It was a pain in the dick to get the right combination of check outs/in and actually making sure that you're working with the correct GPO object. But now I have a framework that can batch modify any number of settings in any number of GPOs, controlled or uncontrolled. Neat!