WIth a large GPO structure, it can be challenging to keep track of all your settings.
Also, if you’re a consultant or a fresh hire facing an unknown infrastructure, getting an overview of GPOs can be very time-consuming.
That is unless you pull out a little PowerShell magic from your sleeve!
In other articles we already covered:
- How to find GPO folder redirection
- How to find GPO software installation folders
- How to find GPO drive mapping
- How to find GPO logon scripts
This article will enable you to identify GPOs with registry settings.
(for detailed instructions on how you can create your own GPO analysis scripts, read this)
Using PowerShell to Identify GPOs with Registry Settings
It’s tempting to use GPO names and try to guess what settings they handle.
But if you have more than 5 GPOs, it will be very time-consuming to click through all of them to verify actual settings.
If you want to know for 100% which of your GPOs holds settings for registry settings – check out this script:
Function Get-GPOReg ($ExtData, $Gpo, $Scope) {
$ArrResult = @()
ForEach ($ExtensionData In $ExtData) {
If ($ExtensionData.Name -eq "Registry") {
$RegSettings = $ExtensionData.Extension.Policy
ForEach ($RegSetting In $RegSettings) {
$GPORegConfig = New-Object PSObject -Property @{
GPO = $GPO.Name
LinkCount = $LinkCount
Enabled = $Enabled
Name = $RegSetting.Name
Type = $Scope
}
$ArrResult += $GPORegConfig
}
}
}
Write-Output $ArrResult
}
$Reports = Get-GPO -All | Get-GPOReport -ReportType Xml
$Scripts = @()
ForEach ($Report In $Reports) {
$GPO = ([xml]$Report).GPO
$LinkCount = ([string[]]([xml]$Report).GPO.LinksTo).Count
$Enabled = $GPO.Computer.Enabled
$ExtData = $GPO.Computer.ExtensionData
$Scripts += Get-GPOReg $ExtData $GPO "Computer"
$Enabled = $GPO.User.Enabled
$ExtData = $GPO.User.ExtensionData
$Scripts += Get-GPOReg $ExtData $GPO "User"
}
Write-Output $Scripts | ft GPO, LinkCount, Enabled, Name, Type
The output from the script will look similar to this:
GPO LinkCount Enabled Name Type --- --------- ------- --- ---- G.C.WaitForNetwork 1 true Always wait for the network at computer startup and logon Computer G.C.DisableWindowsUpdate 2 true Configure Automatic Updates Computer G.C.OfflineTemplates 5 true Personal templates path for Word User
With this overview in hand, you have a great starting point for examining your GPO scripts further.
As an example, if you are looking for GPOs configuring Windows Update, you can search for Automatic Updates in the Name column.
This allows you to quickly identify any and all GPOs with certain settings.
Look at this article for a thorough primer on GPO, application order, filtering, etc.
Consolidate AD and Office 365 Management
And hey, now we have your attention:
Check out our awesome Office 365 management snap-in for AD Users & Computers:
Easy365Manager will allow you to perform all daily Office 365 management in user properties in AD Users & Computers.
Easy365Manager even eliminates the need for complex PowerShell scripting, e.g., when delegating calendar access:
It’s absolutely free to test-drive all the many features in your own environment.
Download your fully-functional 30-day trial here.
You can install it to any PC or server with AD Users & Computers, it makes no changes to AD or your infrastructure, and can be easily uninstalled.