New tool: Policy Analyzer

Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies, and can highlight the differences between versions or sets of Group Policies. It can also compare GPOs against current local policy settings and against local registry settings. And you can export its findings to a Microsoft Excel spreadsheet.

Policy Analyzer lets you treat a set of GPOs as a single unit.  This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values.  It also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. 

For example, the US Government Configuration Baseline (USGCB) for Windows 7 includes seven different GPOs.  Policy Analyzer can treat them as a single set, and show all the differences between them and the Microsoft recommended baselines for Windows 10 and Internet Explorer 11 with a single comparison.  You can also use it to verify changes that were made to your production GPOs.

The following screenshot shows two baselines compared with each other and to corresponding registry values on the local system. The lower pane displays the Group Policy setting, location, and other information associated with the selected row. Conflicting settings are highlighted in yellow; absent settings are shown as a grey cell. Policy Analyzer also offers options to display only rows containing conflicts or other differences.

The following screenshot shows Policy Analyzer’s Excel output. Policy Analyzer sorts results primarily by the Group Policy path and setting name columns, which are the leftmost columns.

Policy Analyzer is a lightweight standalone application that doesn’t require installation, and doesn’t require administrative rights (except for the “local policy” feature).

The downloadable attachment to this blog post contains Policy Analyzer, its full documentation and sample GPO sets taken from the Microsoft security configuration baselines.

[Updated 3 February 2016: download now includes representations of all Windows, IE, and Office GPOs published in the Security Compliance Manager.]

Comments (41)

  1. Inn VNix Ginner says:

    Thanks for your contribution!

  2. Mikael Grath says:

    Making life simpler, i love it! Good work ๐Ÿ™‚

  3. Ron Fisher says:

    Is there a way to use this with a Group Policy Central Store? I've tried directly adding the GPO's from the store, and backing up gpo's and adding them from the backup and I keep getting an unhandled exception looking for different .adml or admx files. I can get past this if I go find a copy of the missing file and copy it to my local machine that is running this tool. I'm stuck looking for a copy of healthservice.adml. Is there any way to make it go forward without these .admx and .adml files it is looking for? Thanks!

    [Aaron Margosis] No, this version looks only in %windir%PolicyDefinitions for ADMX files and %windir%PolicyDefinitionsen-us for ADML files. And it looks like if there's an ADMX without the corresponding ADML you get an unhandled exception. That's a bug. PolicyAnalyzer should handle it more gracefully, but the workaround is to make sure that you have the corresponding ADML file in the en-us directory.

  4. Aaron, are there plans for a version which scans a Group Policy central store? Microsoft says that it's best practice to use one, and many people out there are following that recommendation, myself included.

    [Aaron Margosis] It's on the list of potential features, but not currently at the top of the priority list, particularly since it's easy enough just to copy ADMX/ADML files to some local machine for analysis. E.g., I think covering GPP might be more valuable.

  5. Justin Purdy says:

    For anybody who's getting hung up on missing healthservice.adml, you can find it in %windir%PolicyDefinitionsEN

    [Aaron Margosis] ???

    1. Doron Amir says:

      Thanks heaps. this does work. no more stupid warning messages!

  6. mike says:

    Thanks for the tool. Attempting to export on my machine results in a error: "Unable to set the FreezePanes property of the Window Class". Any ideas?

    [Aaron Margosis] What version of Office/Excel are you using?

  7. Perfect. Thanks for sharing.

  8. Martin says:

    Hmmm, does Policy Analyzer run on Win Server 2008 R2, too? If I click 'View/Compare' I get an exception error. If you want I can send the 'Details'.

    [Aaron Margosis] Yes, please send details either through the "Email blog author" link or in a comment. The main one seems to be an ADMX file in the PolicyDefinitions directory not having a matching ADML file in the EN-US subdirectory.

  9. Bumblebee says:

    I am getting the following error. I am using Excel 2010.

    [Aaron Margosis] In the current implementation, every ADMX file in the %windir%PolicyDefinitions directory has to have a corresponding ADML file in the EN-US subdirectory.

    — + — + —
    Informationen über das Aufrufen von JIT-Debuggen
    anstelle dieses Dialogfelds finden Sie am Ende dieser Meldung.

    ************** Ausnahmetext **************
    System.IO.FileNotFoundException: Die Datei "C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml" konnte nicht gefunden werden.
    Dateiname: 'C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml'
    bei System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
    bei System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
    bei System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
    bei System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize)
    bei System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn)
    bei System.Xml.XmlTextReaderImpl.OpenUrlDelegate(Object xmlResolver)
    bei System.Threading.CompressedStack.runTryCode(Object userData)
    bei System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
    bei System.Threading.CompressedStack.Run(CompressedStack compressedStack, ContextCallback callback, Object state)
    bei System.Xml.XmlTextReaderImpl.OpenUrl()
    bei System.Xml.XmlTextReaderImpl.Read()
    bei System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace)
    bei System.Xml.XmlDocument.Load(XmlReader reader)
    bei System.Xml.XmlDocument.Load(String filename)
    bei GPLookup.GPLookup_t.XDocAndNSMgr..ctor(String filename, String defNamespace)
    bei GPLookup.GPLookup_t.Initialize(String sLanguage)
    bei PolicyAnalyzer.PolicyViewer3.RowData_t.InitPolicyConfigAndPath()
    bei PolicyAnalyzer.PolicyViewer3.LoadData(NameAndPolicies_t[] nameAndPolicies)
    bei PolicyAnalyzer.PolicyViewer3..ctor(NameAndPolicies_t[] nameAndPolicies, GPLookup_t gpLookup)
    bei PolicyAnalyzer.PolicyAnalyzerMain2.btnCompare3_Click(Object sender, EventArgs e)
    bei System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
    bei System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
    bei System.Windows.Forms.Control.WndProc(Message& m)
    bei System.Windows.Forms.ButtonBase.WndProc(Message& m)
    bei System.Windows.Forms.Button.WndProc(Message& m)
    bei System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

    to be continued

  10. Zenkin says:

    Is there any chance that I can export this to a CSV or save directly to a file? I don't have Microsoft Office installed on my management machine, and it seems my only option is to directly export it to Microsoft Excel 2007 or newer.

    [Aaron Margosis] Not in the current version. If you copy the .PolicyRules file to another computer that has Excel and that has all the ADMX and ADML files in the PolicyDefinitions/en-us directories, and run Policy Analyzer there, you can get everything except for "Compare local registry" data. CSV output would lose the formatting that you can get with direct Excel export.

  11. Stan Noel says:

    Justin Purdy. I'm getting the same error. 'Could not find file 'C:WindowsPolicyDefinitionsen-usHealthService.adml'.
    Using Win7 Ent 64-bit SP1.

    [Aaron Margosis] OK, I've heard this a few times now but haven't seen it myself. Are you seeing HealthService.adml in a different subdirectory?

  12. Glenn Turner says:

    LOVE this!!! This will save us SO much time. Thank you.

  13. Karl says:

    @echo off
    for /f %%G in ('dir /b %windir%PolicyDefinitions*.admx') do if not exist "%windir%PolicyDefinitionsen-us%%~nG.adml" echo %%G

  14. Tim says:

    The HealthService.adml file is in the en directory – not the en-us directory.

    [Aaron Margosis] For now, copy it into the EN-US subdirectory. If I get to make an updated version, I'll change the ADML search logic so that it can also look for an EN subdirectory, as well as look for ADML files in the PolicyDefinitions directory itself (according to Process Monitor that's what the GP editor does). I'll also make a missing ADML file a warning for that particular ADMX rather than stop processing.

  15. Jason says:

    Aaron this is a fantastic utility. Thank you for your work.

  16. Mitch says:

    Thanks for this. Very useful. Also useful is the way you have responded to the questions about your tool. Well done!

  17. Patrik says:

    Hello, thanks very much! Is there a way to automate the import proces? Like building a CSV or XML file with list of policies and their names and only select them and compare?

    [Aaron Margosis] Well, kind of! It's not intended to be used this way, is unsupported, and some future update might change the implementation, but the PolicyRulesFileBuilder.exe is the helper process that is passed the files to process and the target .PolicyRules file to build. PolicyRulesFileBuilder.exe takes two parameters: the path to an existing tab-delimited-text file, and the path to the target file. The tab-delimited CSV contains one row for each file to process. Each row contains three columns in this order: policy type (Computer, User, Sec Template, or Audit Policy – taken from the Policy Type column of the Importer dialog); policy name (taken from the first column of the Importer dialog); and the full path to the file to parse, without quotes. Example:

    PolicyRulesFileBuilder.exe .test.csv .test.PolicyRules

    Good luck!

  18. Mikael Grath says:

    A bit of a wishfull thinking, it would be cool if you could incorporate GPP as well, i’m not sure how or in what way that would fly but it would be a needed addition ๐Ÿ™‚ Thanks for the efforts with this tool, it’s really great!

  19. Glad to see this, Aaron. Thanks for helping fill the gap of SCM being deprecated. Glad to have something like this to which I can direct my customer’s. Nice to have the USGCB, STIG, etc. stuff readily available like that for comparison.

  20. Michaell Kolowicz says:

    Thank you for this tool. But I cannot run it on a Windows 7-64bit (GERMAN). The error message is: "System.IO.FileNotFoundException: Die Datei "C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml" konnte nicht gefunden werden.
    Dateiname: 'C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml'

    What can i do?

    [Aaron Margosis] Email me through the Email Blog Author link on this blog. I'll try to work with you on a version that supports internationalization. Thanks.

  21. Habib Mbacfou says:

    Hello Aaron, thanks for your tool. Is there any way to use your tool with powershell commands? because i'm looking for a way to automate the "policy file importer" and the rules comparaison by using powershell. Thanks in advance for your answer

    [Aaron Margosis] See Patrik's comment from Jan 30 2016 and my response there.

  22. jim says:

    First off … Great Utility!

    Would you entertain the idea of keeping the [Registry Values] section of the Security Templates separate from the HKLM Policy Type? The utility does not identify if the setting is contained in the registry.pol or the GptTmpl.inf file.

    Thanks again.

    [Aaron Margosis] Policy Analyzer canonicalizes data so that if you have something set in [Registry Values] that hits the same location as something in a registry.pol, it can report the duplication or conflict. To see the source of a setting, enable "Show GPO names and files in Details pane" in the Options dropdown.

  23. Graham says:

    Seems you're getting a lot of problems with people on non-US versions of Windows. Surely the solution is to pick the ADML search path based on the current culture's shortcode?

    [Aaron Margosis] Yes, something like that, but I'd need to test before publishing. I don't have any non-English installs to test on.

  24. brad says:

    When I export to Excel, I don't see the GPO source names, as in the GUI? Am I missing where they are exported to, or is this not exported to Excel at all?

    [Aaron Margosis] No, you're correct. Current version doesn't have it in there. Do you think it's important to add, maybe as a third export option?

  25. brad says:

    Thanks for the response Aaron. I think it would be valuable to add, so that analysis can continue within the Excel output, rather than having to jump back to the tool & cross-reference the 2nd window pane where that information is available. For example, I am comparing three group policies with some similar, overlapping settings. It is nice when I see the different values for these settings to know which GPO they are coming from solely within Excel. Thanks for the great tool!

    Also, when I select "Show Differences" – it just shows Conflicts – which, I suppose could be defined as "Differences" as well. I was expecting "Show Differences" to filter out the similarities between the GPOs, and show me only the settings (& values) that are different between them? So if two GPOs set the screen saver to enabled, and only one set the hard drive to turn off after 30 minutes, I'd expect "Show Differences" to show that the hard drive setting, as well as any conflicts? Hopefully that makes sense.

    [Aaron Margosis] That's how it should work. If you have two or more GPO sets selected, and there's a GPO in one set that configures one of the "Turn Off the hard disk" settings, and none of the GPOs in the other set configure that setting, it should remain in the display when you select "Show Differences." I'd suggest unselecting the "Show Differences" and "Show Conflicts" settings, and searching for "Turn Off the hard disk". (Oh – and make sure you've actually got multiple GPO sets, and not just one GPO set that combines multiple GPOs.)

  26. brad says:

    Oooooh. I see. I added all my GPO's within a single set, and was expecting comparison if differences in that single set. I'll try out what you've outlined. Thanks!

  27. Vandrey Pereira says:

    I'm having this problem too: System.IO.FileNotFoundException: Não foi possível localizar o arquivo 'C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml'.
    Nome do arquivo: 'C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml'
    The file can't be found because I'm using Windows 10 Pro in portuguese.. The files are under C:WindowsPolicyDefinitions folder…

    [Aaron Margosis] Yes – my apologies. Known issue. Current version works only for en-us. I hope to fix that in a future version.

  28. George says:

    Hello – quick question: I have to review approximately 80 GPO's. When filtering for conflicts, does this necessarily mean that there is an issue? or does this indicate GPO's with matching settings? I am trying to improve log on times.

    Thanks in advance!

    [Aaron Margosis] No, not necessarily. It just indicates that among the GPOs there are settings that are different. If each machine has to process 80 GPOs, that might be an issue, though.

  29. markus says:


    Thank you for offering a tool like this!!
    Unfortunately I am having some issues to properly view and compare GPO settings.
    We are using a GPO to configure IE settings (for IE prior version 10)…basically settings for the different zones in IE (local, trusted, …) currently these settings are (still) configured under the “Internet Explorer Maintenance” section within the GPO. I did a backup of this GPO and imported it into Policy Analyzer and then clicked the View/Compare button. Unfortunately it just was showing me a subset of the settings which are actually configured in the GPO.
    Anything I need to do differently to properly show IE relevant settings within a GPO via Policy Analyzer?


    [Aaron Margosis] Unfortunately, Policy Analyzer doesn't have a parser for settings configured in "Internet Explorer Maintenance."

  30. George Hansey says:

    Crashes under Windows 10. Tried AD and local.

    [Aaron Margosis] When you open gpedit, do you also get error messages? They released mismatched ADMX/ADML files and haven’t fixed them yet. ๐Ÿ™ Next version of Policy Analyzer will be more resilient in the face of those.
    (Sorry for the delay in responding โ€” when they changed the blog platform I stopped getting notifications about pending comments.)
  31. Markus says:

    Does this tool have a parser for settings configured under Computer Configuration/Policies/Windows Settings/Security Settings/Wireless Network (802.11) Policies? I am asking because we have some GPร“s in place which are being used to configure WiFi settings for clients and I wanted to compare these GPOs using this tool. Unfortunately the tool is not showing me the settigns which are actually configured in those GPOs….for other GPO settings it is working properly. Thanks Markus

    1. I’ll have to look into where those policies get saved. If they get saved in Registry.pol, then Policy Analyzer will see them, although it won’t show their path in the UI.
      1. Markus says:

        Have you had a chance to check where those policies get saved?

        [Aaron Margosis] Yes, I just found out. They are stored in Active Directory:


        …which explains why it’s in AD GP but not in local GP. I don’t plan to add locations such as this to Policy Analyzer.

  32. Nicholas Miller says:

    When I attempt to import the files from my GPO backup, I get a PolicyAnalyzer error dialog window (‘|’, hexadecimal value 0x19, is an invalid character, line 5657, polition193.). After the error, PolicyAnalyzer opens up but with no content, just headers. The error message varies in line and position numbers from policy to policy, but this has happened for every one of the policies I have attempted to look at.

    [Aaron Margosis] Is that the actual error text? I don’t see anything in the source code that looks quite like that. Does the *.PolicyRules file get saved successfully? If you change the extension to *.xml, can you open it as an XML file, or is it an invalid XML file? If it’s invalid XML, can you show the full error line here? Thanks.
    1. Daniel says:

      I had the same issue, just different reported location. In my case, it turned out to be a single/certain GPO backup that was causing the issue. I was importing 100+ GPOs to it took me a bit to narrow it down to which one, but I did.

      What helped me determine this, was the fact that I was able to import 1 GPO, but not all.

  33. Sinan Kaplan says:

    I get following error when I click on the View/Compare button:


    Informationen รผber das Aufrufen von JIT-Debuggen
    anstelle dieses Dialogfelds finden Sie am Ende dieser Meldung.

    ************** Ausnahmetext **************
    System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
    bei GPLookup.GPLookup_t.Initialize(String sLanguage)
    bei GPLookup.GPLookup_t.GPLookup()
    bei PolicyAnalyzer.PolicyViewer3.RowData_t.InitPolicyConfigAndPath()

    [… rest of the posted error information deleted to save space …]

    [Aaron Margosis] I’m working on an update that handles non-US-English systems better, and fixes some other bugs. I apologize for the inconvenience.

  34. Sebastien Boily says:

    Do you have the sample for Office 2016 ( 365)

    [Aaron Margosis] We haven’t published a baseline for Office 2016/365
  35. Mikael Grath says:

    Q: Is there any plans to, somehow, include preferences in this tool?
    I think it’s the only thing i can think of that’s missing in this, otherwise amazing, tool ๐Ÿ˜‰

    [Aaron Margosis] Haven’t tackled that yet.
  36. Phil Ready says:

    Does this only work with admx policies? I backed up policies that use adm files and policy analyser sees all of them as the same.

    [Aaron Margosis] Yes, Policy Analyzer reads only ADMX/ADML files to tie GP settings back to display names.
  37. usdi says:

    When running a compare on some entries it will add \0 to the end for the option. For instance RemoveSigned\0. But, when I check the GPO option setting in the registry there is not a \0 and the option is set correct, any ideas on what might cause this?

    [Aaron Margosis] That happens with REG_MULTI_SZ values today. I’ll post a preview version of the next version shortly. It resolves that issue and several others.