How to Find GPO Registry Settings

How to Find GPO Registry Settings

WIth a large GPO structure, it can be challenging to keep track of all your settings.

Also, if you’re a consultant or a fresh hire facing an unknown infrastructure, getting an overview of GPOs can be very time-consuming.

That is unless you pull out a little PowerShell magic from your sleeve!

In other articles we already covered:

This article will enable you to identify GPOs with registry settings.

(for detailed instructions on how you can create your own GPO analysis scripts, read this)

Using PowerShell to Identify GPOs with Registry Settings

It’s tempting to use GPO names and try to guess what settings they handle.

But if you have more than 5 GPOs, it will be very time-consuming to click through all of them to verify actual settings.

If you want to know for 100% which of your GPOs holds settings for registry settings – check out this script:

Function Get-GPOReg ($ExtData, $Gpo, $Scope) {
    $ArrResult = @()
    ForEach ($ExtensionData In $ExtData) {
        If ($ExtensionData.Name -eq "Registry") {
            $RegSettings = $ExtensionData.Extension.Policy
            ForEach ($RegSetting In $RegSettings) {
                $GPORegConfig = New-Object PSObject -Property @{
                    GPO          = $GPO.Name
                    LinkCount    = $LinkCount
                    Enabled      = $Enabled
                    Name         = $RegSetting.Name
                    Type         = $Scope
                }
                $ArrResult += $GPORegConfig
            }
        }
    }
    Write-Output $ArrResult
}
  
$Reports = Get-GPO -All | Get-GPOReport -ReportType Xml
$Scripts = @()
ForEach ($Report In $Reports) {
    $GPO = ([xml]$Report).GPO
    $LinkCount = ([string[]]([xml]$Report).GPO.LinksTo).Count
    $Enabled = $GPO.Computer.Enabled
    $ExtData = $GPO.Computer.ExtensionData
    $Scripts += Get-GPOReg $ExtData $GPO "Computer"
    $Enabled = $GPO.User.Enabled
    $ExtData = $GPO.User.ExtensionData
    $Scripts += Get-GPOReg $ExtData $GPO "User"
}
Write-Output $Scripts | ft GPO, LinkCount, Enabled, Name, Type

The output from the script will look similar to this:

GPO                      LinkCount Enabled Name                                                      Type
---                      --------- ------- ---                                                       ----
G.C.WaitForNetwork       1         true    Always wait for the network at computer startup and logon Computer
G.C.DisableWindowsUpdate 2         true    Configure Automatic Updates                               Computer
G.C.OfflineTemplates     5         true    Personal templates path for Word                          User

With this overview in hand, you have a great starting point for examining your GPO scripts further.

As an example, if you are looking for GPOs configuring Windows Update, you can search for Automatic Updates in the Name column.

This allows you to quickly identify any and all GPOs with certain settings.

Look at this article for a thorough primer on GPO, application order, filtering, etc.

Consolidate AD and Office 365 Management

And hey, now we have your attention:

Check out our awesome Office 365 management snap-in for AD Users & Computers:

Easy365Manager will allow you to perform all daily Office 365 management in user properties in AD Users & Computers.

Easy365Manager even eliminates the need for complex PowerShell scripting, e.g., when delegating calendar access:

It’s absolutely free to test-drive all the many features in your own environment.

Download your fully-functional 30-day trial here.

You can install it to any PC or server with AD Users & Computers, it makes no changes to AD or your infrastructure, and can be easily uninstalled.