Group Policy PowerShell

GPO PowerShell analyze

Have you ever been in a situation where you needed to get an overview of your GPO’s?

Something like:

  • FInd all GPO’s with drive mapping
  • Find all GPO’s with software publishing
  • Find all GPO’s with user rights configuration

The Group Policy Management Console (GPMC) tool isn’t very useful for this type of thing. If you have dozens or hundreds of GPO’s it’s near impossible.

The most effective way to review all of your GPO settings is using PowerShell. This article is going to teach you how.

In 10 minutes you’ll be the go-to-guy for GPO analysis scripts – I promise you 😉

How to Install the GPO PowerShell Module

First thing to get started is to get your hands on the Group Policy PowerShell module.

Don’t make the mistake of working from your Domain Controller – it’s a bad (and lazy) habit.

To get up and running on your workstation install the RSAT Group Policy Management tools. This is super easy on Windows 10 version 1809 and later:

Get-WindowsCapability -Name "RSAT.GroupPolicy.Management.Tools*" -Online | Add-WindowsCapability -Online

On Windows 10 1709 or earlier check this article.

On Windows 8.1 go here for more info.

If you’re using a jump host (Windows Server), install the Group Policy PowerShell module by adding the “Group Policy Management” feature (for a detailed step-by-step guide on adding features to your server check this article).

Get-GPO

There are basically only two commands in the GroupPolicy module you need to know to generate complex analysis of your Group Policy Objects.

The first one is Get-GPO.

Simply feed the name of the GPO to this command to grab a GPO object. The output will look similar to the following:

PS C:\> Get-GPO "Default Domain Policy"


DisplayName      : Default Domain Policy
DomainName       : easy365manager.local
Owner            : E365M\Domain Admins
Id               : 24c1692a-6fd1-4a85-b2e4-343968fe78e0
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 26-11-2004 13:22:37
ModificationTime : 03-12-2020 14:38:46
UserVersion      : AD Version: 69, SysVol Version: 69
ComputerVersion  : AD Version: 51, SysVol Version: 51
WmiFilter        :

We already have some basic info that might be useful in a report or otherwise:

  • The Guid of the GPO (in the Id attribute)
  • The owner
  • The creation time
  • The last modification time
  • The WmiFilter

To dive deeper into more properties of the GPO and the actual settings another command is needed:

Get-GPOReport

The Get-GPOReport command extracts all the settings of a group policy. It can use different formats for the data but for easy analysis XML is preferred.

To get the data, you need to identify which GPO you want to look into, either by stating the name or the GUID of the GPO – or by piping the GPO into the command.

When you specify XML as the data format using the -ReportType switch, the output is a massive XML document. Put it in a variable so we can access it more easily:

$GPOSettings = Get-GPO "Default Domain Policy" | Get-GPOReport -ReportType XML

To let PowerShell know we’ve got XML data on our hands, prepend the variable with [xml]:

PS C:\> [xml]$GPOSettings

xml                             GPO
---                             ---
version="1.0" encoding="utf-16" GPO

As you see the top element is named “GPO”. Put this element into a new variable so we don’t have to do the explicit cast to XML on every call:

PS C:\> $GPO = ([xml]$GPOSettings).GPO
PS C:\> $GPO


xsd                 : http://www.w3.org/2001/XMLSchema
xsi                 : http://www.w3.org/2001/XMLSchema-instance
xmlns               : http://www.microsoft.com/GroupPolicy/Settings
Identifier          : Identifier
Name                : Default Domain Policy
IncludeComments     : true
CreatedTime         : 2004-11-26T12:22:37
ModifiedTime        : 2020-12-03T12:38:46
ReadTime            : 2021-05-12T19:42:24.1554915Z
SecurityDescriptor  : SecurityDescriptor
FilterDataAvailable : true
Computer            : Computer
User                : User
LinksTo             : {LinksTo}

The output has more or less the same information as the object we retrieved earlier using the Get-GPO command.

But pay special attention to the Computer and User attributes – this is where the fun starts!

GPO ExtensionData

If anything is configured in the computer or user portion of the GPO the corresponding attribute will have a sub element called ExtensionData:

PS C:\> $GPO.Computer

VersionDirectory VersionSysvol Enabled ExtensionData
---------------- ------------- ------- -------------
51               51            true    {Security, Public Key, Name Resolution Policy, Registry}

The ExtensionData will have one or more Extension values depending on what types of settings have been configured in the GPO:

PS C:\> $GPO.Computer.ExtensionData

Extension Name
--------- ----
Extension Security
Extension Public Key
Extension Name Resolution Policy
Extension Registry

The various Extension attributes will have data that is custom to the type of extension. You can build a generic routine to iterate the Extension elements of the GPO report – but when it comes to the actual settings of the different types of Extension data, you need to build a custom routine for each type.

This is quite OK. When doing GPO analysis we’re often looking for particular information such as identifying all GPO’s with mapped drives or all GPO’s with software distribution.

Analyzing GPO Settings

For the sake of the example, let’s try to make a script that finds all GPO’s that have start-up scripts configured.

The method applied here can be used on any type of GPO settings that you want to analyze.

First step: Find the name of the extension by looking at one of the group policies that has a user logon script configured:

PS C:\> $Report = Get-GPO "Accounting_Scripts" | Get-GPOReport -ReportType xml
PS C:\> $GPO = ([xml]$Report).GPO
PS C:\> $GPO.User.ExtensionData

Extension Name
--------- ----
Extension Scripts

As seen, the name of the extension is “Scripts”. Therefore, to find all GPO’s with scripts we need to iterate all ExtensionData values of all GPO’s that have the name “Scripts”:

$Reports = Get-GPO -All | Get-GPOReport -ReportType Xml
ForEach ($Report In $Reports) {
  $GPO = ([xml]$Report).GPO
  ForEach ($ExtensionData In $GPO.User.ExtensionData) {
    If ($ExtensionData.Name -eq "Scripts") {
      # Do something ...
      }
    }
  }
}

Now, let’s check what information is available to our script by looking at the data structure. Since, in our example GPO, only one extension exists we can access it like this:

PS C:\> $GPO.User.ExtensionData.Extension

q2                                                    type       Script
--                                                    ----       ------
http://www.microsoft.com/GroupPolicy/Settings/Scripts q2:Scripts {q2:Script, q2:Script}


PS C:\> $GPO.User.ExtensionData.Extension.Script


Command    : ConfigureAcct.bat
Parameters : /SkipErrors
Type       : Logon
Order      : 0
RunOrder   : PSNotConfigured

Command  : CreateAcctShortcuts.bat
Type     : Logon
Order    : 1
RunOrder : PSNotConfigured

For each script we have a few valuable pieces of information:

  • Command
  • Parameters
  • Type

To get this information for all our GPO’s we can now put together the following code:

$Reports = Get-GPO -All | Get-GPOReport -ReportType Xml
$UserScripts = @()
ForEach ($Report In $Reports) {
  $GPO = ([xml]$Report).GPO
  ForEach ($ExtensionData In $GPO.User.ExtensionData) {
    If ($ExtensionData.Name -eq "Scripts") {
      $Scripts = $ExtensionData.Extension.Script
      ForEach ($Script In $Scripts){
        $ScriptInfo = New-Object PSObject -Property @{
          GPO        = $GPO.Name
          Command    = $Script.Command
          Parameters = $Script.Parameters
          Type       = $Script.Type
        }
        $UserScripts += $ScriptInfo
      }
    }
  }
}
Write-Output $UserScripts | ft GPO,Command,Parameters,Type

In my small test setup this generates the following output:

GPO                Command                 Parameters  Type
---                -------                 ----------  ----
Accounting_Scripts ConfigureAcct.bat       /SkipErrors Logon
Accounting_Scripts CreateAcctShortcuts.bat             Logon
Drive Mapping      Logon.bat                           Logon
Drive Mapping      SecondaryScript.bat     /Reset      Logon

Summary

And that’s it. I hope you now have a clear grasp on how to create your own Group Policy analysis scripts.

With the above approach you can now start gathering any type of information across all of your GPO’s. This is very useful if you want to clean up GPO’s, are doing a domain migration or restructuring your file servers.

For more examples using this approach check out these two articles: