Check a setting in all GPO's (Security, ADMX, and more)

  • Article

 

You configured a setting in one GPO and want to know what that setting is across all GPO’s.

You want to check that a setting is not being overwritten by another GPO in the same domain (without checking through every settings report).

Sound familiar?

Well, we’ve heard you. And made something that should help (using the Group Policy PowerShell work in Windows Server 2008 R2). I’ll show you how you can check things like security settings, ADMX settings, Group Policy Preference items, and logon/logoff scripts and return the values across all GPO’s in a domain. Watch for more posts that will show all of these examples.

If you’ve read about or used the Group Policy PowerShell cmdlets, you may have come across Get-GPOReport. You can output the report to HTML, (like clicking “Settings” in the GPMC) or to XML, which is cool. Why? Because you can use the XML to search for settings in GPO’s, which is what I did in this little script I wrote. It basically searches all the GPOs in a given domain for a specific setting using the XML returned from the Get-GPOReport cmdlet. Be warned, this is just an example of using Get-GPOReport’s XML report to search GPOs; this might not work for all cases (I certainly haven’t tested it thoroughly), and there may be bugs, so take it as is and adapt it for your own usage. It is also definitely not optimized, if you have many GPOs it could take a while to run. The point here is the potential: take this script and run with it! It's attached to this post (check the 'Attachments' link by clicking on this post's title and scroll to the bottom)

This script’s usage is as follows:

 

SearchGPOsForSetting.ps1 [–IsComputerConfiguration] <Boolean> [-Extension] <String> [-Where] <String> [-Is] <String> [[-Return] <String>] [[-DomainName] <String>]

[-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningAction <ActionPreference>] [-ErrorVariable <String>] [-WarningVariable <String>] [-OutVariable <String>] [-OutBuffer <Int32>]

Notes: In order to get all the inputs correct you may have to open up the XML once of a GPO that has the setting you want to search for. DomainName is an optional parameter (if you do not specify a domain, it will use the domain of the current context).

 

Let’s look at some examples!

Example 1:Security Setting

 

Say you wanted to look for a security setting in all the GPO’s in your domain (Policies\WindowsSettings\SecuritySettings\AccountPolicies\Account Lockout Policy\Account lockout duration):

clip_image002

 

                If you peek at the XML report of this particular GPO you see the following:

 

<ExtensionData>

            <Extension xmlns:q2="https://www.microsoft.com/GroupPolicy/Settings/Security" xsi:type="q2:SecuritySettings">

                <q2:Account>

                    <q2:Name>LockoutDuration</q2:Name>

                    <q2:SettingNumber>20</q2:SettingNumber>

                    <q2:Type>Account Lockout</q2:Type>               

                                                </q2:Account>

            </Extension>

</ExtensionData>

Using the script, enter where the setting is (-isComputerConfiguration $true), what type of setting it is (-Extension Security), and what value you’re looking for (-Where Name –Is LockoutDuration). If you want to know that the setting is configured in the GPO, but you don’t care what the value is, omit the –Return parameter.

PS C:\share> .\SearchGPOsForSetting.ps1 -IsComputerConfiguration $true -Extension Security -Where Name -Is LockoutDuration -Return SettingNumber

The Gpo 'simpleGpo' has a Security setting where 'Name' is equal to 'LockoutDuration' and the value of its 'SettingNumber' property is: '30'

The Gpo 'securityGpo' has a Security setting where 'Name' is equal to 'LockoutDuration' and the value of its 'SettingNumber' property is: '20'

Example 2: ADMX setting

clip_image004

 

      Looking at the xml:

<ExtensionData>

            <Extension xmlns:q4="https://www.microsoft.com/GroupPolicy/Settings/Registry" xsi:type="q4:RegistrySettings">

                <q4:Policy>

                    <q4:Name>Turn off Windows Startup Sound</q4:Name>

                    <q4:State>Enabled</q4:State>

                    <q4:Explain>

                        Turn off the Windows Startup sound and prevent its customization in the Sound item of Control Panel.

                        The Microsoft Windows Startup sound is heard during system startup and cold startup and can be turned on or off in the

                        Sound item of Control Panel.

                        … /more xml

Then you would run this script in the following way:

    

  PS C:\share> .\SearchGPOsForSetting.ps1 -IsComputerConfiguration $true -Extension Registry -Where Name -Is "Turn off Windows Startup Sound" -Return State

The Gpo 'simpleGpo' has a Registry setting where 'Name' is equal to 'Turn off Windows Startup Sound' and the value of its 'State' property is: 'Enabled'

The Gpo 'gpoB' has a Registry setting where 'Name' is equal to 'Turn off Windows Startup Sound' and the value of its 'State' property is: 'Disabled'

 

More examples to come, let me know what you think so far!

 

 Lindsay Harris, Group Policy Software Developer

 

     

SearchGPOsForSetting.ps1