Use PowerShell to Decipher GPO Version Information

A Group Policy is made up of a GPC (Group Policy Container) and a GPT (Group Policy Template).

The GPC resides in Active Directory. The GPT lives on the file system of a Domain Controller in SYSVOL.

We have to ensure that these two components are synchronised: AD replication looks after the GPC; DFSR looks after the GPT. Both the GPC and the GPC contain version information. This version information should match for both the GPC and GPT.


Time for Pictures

Here’s the version as it appears in AD* on a GPC:


*look in DomainName/System/Policies


Here’s the version as it appears in SYSVOL from GPT.ini:



Notice both the GPC and GPT have a version of  7995578.


Now, here’s how the Group Policy Management Console (GPMC) interprets that information:



And we can arrive at the same with Get-GPO:



Hey, There!

In the GPMC and with Get-GPO, we have versioning for both user and computer settings… but how? We only have one version number, shared by the GPC and GPT…



The version we see can be thought of as split into two. The left half arriving at the user settings version and the right half representing the computer settings. Let’s use PowerShell to illustrate this.

I take the version for the Default Domain Policy GPO from the VersionNumber attribute on the GPC.

$VersionNumber = (Get-ADObject -SearchBase "CN=Policies,CN=System,DC=halo,DC=net" -Filter {Name -eq "{31b2f340-016d-11d2-945f-00c04fb984f9}"} -Properties VersionNumber).VersionNumber


Now, time to have some fun!

$Hex = '{0:x8}' -f $VersionNumber


$UserVn = $Hex.substring(0,4)

$CompVn = $Hex.substring(4)




Let’s see what that generates…



We convert $VersionNumber to hexadecimal by using the -f format operator, ensuring we have eight characters.

Next, assign the first four characters to $UserVn and the next four to $CompVn.

Now use the [CONVERT] type accelerator and the ToInt64 static method to arrive at values that match the GPMC and Get-GPO values.



Comments (0)

Skip to main content