Check a setting in all GPO’s continued (scripts, firewall, GP Preferences and more)


 I mentioned this in the last post, here are some more examples.  To download the script, check the ‘Attachments’ link by clicking on this post’s title and then scrolling to the bottom. Quick refresher:


 


This script’s usage is as follows:


 


SearchGPOsForSetting.ps1 [–IsComputerConfiguration] <Boolean> [-Extension] <String> [-Where] <String> [-Is] <String> [[-Return] <String>] [[-DomainName] <String>]


[-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningAction <ActionPreference>] [-ErrorVariable <String>] [-WarningVariable <String>] [-OutVariable <String>] [-OutBuffer <Int32>]


 


Notes: In order to get all the inputs correct you may have to open up the XML once of a GPO that has the setting you want to search for.  DomainName is an optional parameter (if you do not specify a domain, it will use the domain of the current context).


 


 


Lets look at some more examples!


 


 


Example 3: Are there any logon scripts?


 


If you just want to find the GPOs in your domain that have a specific logon script, you can omit the -Return parameter


     


clip_image006


 


<ExtensionData>


<Extension xmlns:q5=”http://www.microsoft.com/GroupPolicy/Settings/Scripts xsi:type=”q5:Scripts“>


<q5:Script>


            <q5:Command>\\myserver\myshare\myLogonScript.ps1</q5:Command>


            <q5:Type>Logon</q5:Type>


            <q5:Order>0</q5:Order>


            <q5:RunOrder>PSNotConfigured</q5:RunOrder>


</q5:Script>


</Extension>


<Name>Scripts</Name>


        </ExtensionData>


 


              


    PS C:\share> .\SearchGPOsForSetting.ps1 -IsComputerConfiguration $false -Extension Scripts -Where Command -Is \\myserver\myshare\myLogonScript.ps1


 


  The Gpo ‘simpleGpo’ has a Scripts setting where ‘Command’ is equal to ‘\\myserver\myshare\myLogonScript.ps1’


 


 


Example 4:  Group Policy Preferences


 


clip_image008 


 


               


If I wanted to see all my URL shortcuts in User policy:


 


<ExtensionData>


<Extension xmlns:q5=”http://www.microsoft.com/GroupPolicy/Settings/Shortcuts xsi:type=”q5:ShortcutSettings“>


<q5:ShortcutSettings clsid=”{872ECB34-B2EC-401b-A585-D32574AA90EE}“>


<q5:Shortcut clsid=”{4F2F7C55-2790-433e-8127-0739D1CFA327} userContext=”1 name=”MS status=”MS image=”0 changed=”2009-04-10 21:39:08 uid=”{8D545947-9080-446D-A5C8-8E447407C7AF}“>


<q5:GPOSettingOrder>1</q5:GPOSettingOrder>


<q5:Properties pidl=”” targetType=”URL action=”C comment=”” shortcutKey=”0 startIn=”” arguments=”” iconIndex=”13 targetPath=”http://www.microsoft.com/ iconPath=”%SystemRoot%\system32\SHELL32.dll window=”” shortcutPath=”%DesktopDir%\MS” />


<q5:Filters />


</q5:Shortcut>


</q5:ShortcutSettings>


</Extension>


<Name>Shortcuts</Name>


</ExtensionData>


 


 


PS C:\share> .\SearchGPOsForSetting.ps1 -IsComputerConfiguration $false -Extension Shortcuts -Where targetType -Is URL -Return targetPath


 


The Gpo ‘simpleGpo’ has a Shortcuts setting where ‘targetType’ is equal to ‘URL’ and the value of its ‘targetPath’ property is: ‘http://live.com’


The Gpo ‘gpoB’ has a Shortcuts setting where ‘targetType’ is equal to ‘URL’ and the value of its ‘targetPath’ property is: ‘http://www.microsoft.com’


The Gpo ‘gpoA’ has a Shortcuts setting where ‘targetType’ is equal to ‘URL’ and the value of its ‘targetPath’ property is: ‘http://www.msdn.com’


 


 


 


 


Example 5:  Find all the open firewall ports


               


<ExtensionData>


<Extension xmlns:q2=”http://www.microsoft.com/GroupPolicy/Settings/WindowsFirewall xsi:type=”q2:WindowsFirewallSettings“>


<q2:GlobalSettings>


<q2:PolicyVersion>


<q2:Value>522</q2:Value>


</q2:PolicyVersion>


</q2:GlobalSettings>


<q2:InboundFirewallRules>


<q2:Version>2.10</q2:Version>


<q2:Action>Allow</q2:Action>


<q2:Name>open port 448</q2:Name>


<q2:Dir>In</q2:Dir>


<q2:LPort>448</q2:LPort>


<q2:Protocol>6</q2:Protocol>


<q2:Active>true</q2:Active>


</q2:InboundFirewallRules>


</Extension>


<Name>Windows Firewall</Name>


</ExtensionData>


 


    


PS C:\share> .\SearchGPOsForSetting.ps1 -IsComputerConfiguration $true -Extension WindowsFireWall -Where Action -Is Allow -Return LPort


 


The Gpo ‘gpoA’ has a WindowsFireWall setting where ‘Action’ is equal to ‘Allow’ and the value of its ‘LPort’ property is: ‘448’


The Gpo ‘gpoB’ has a WindowsFireWall setting where ‘Action’ is equal to ‘Allow’ and the value of its ‘LPort’ property is: ’80’


 


 


 Note: Under the hood I am using XPath and XmlNamespaceManager, to find the xml for the Specific extension you passed in and then I perform a recursive search of the xml underneath that for the Property you specified with $Where that has the value you specified with $Is.  Then, once it finds that, if you specified a $Return parameter it will search for that property to return the value it has. 


 


I hope you enjoy working with this script. Let me know what other interesting and compelling scenarios you use this for in the comment section. Also, if you re-work it to fit your own need, post it back here and explain what you did and why. 


 


Can’t wait to see what you come up with, 


 Lindsay Harris, Group Policy Software Developer

SearchGPOsForSetting.ps1

Comments (3)

  1. Anonymous says:

    Want to see what firewall ports you’ve configured on every GPO in your domain in under 10 seconds? Want

  2. Anonymous says:

    Hey Kazimierz – Thanks for asking. AGPM does not have any PowerShell work planned for the next release.

    What sort of cmdlets would you be interested in seeing available for AGPM?

    LiliaG, Group Policy PM

  3. casimir says:

    The Power Shell works nice with GPOs, but what about Power Shell and the Advanced Group Policy Management.

    How can I married them together?

    Regards,

    Kazimierz Popinski