New tool: Policy Analyzer

Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies, and can highlight the differences between versions or sets of Group Policies. It can also compare GPOs against current local policy settings and against local registry settings. And you can export its findings to a Microsoft Excel spreadsheet.

Policy Analyzer lets you treat a set of GPOs as a single unit.  This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values.  It also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.

For example, the US Government Configuration Baseline (USGCB) for Windows 7 includes seven different GPOs.  Policy Analyzer can treat them as a single set, and show all the differences between them and the Microsoft recommended baselines for Windows 10 and Internet Explorer 11 with a single comparison.  You can also use it to verify changes that were made to your production GPOs.

The following screenshot shows two baselines compared with each other and to corresponding registry values on the local system. The lower pane displays the Group Policy setting, location, and other information associated with the selected row. Conflicting settings are highlighted in yellow; absent settings are shown as a grey cell. Policy Analyzer also offers options to display only rows containing conflicts or other differences.

The following screenshot shows Policy Analyzer’s Excel output. Policy Analyzer sorts results primarily by the Group Policy path and setting name columns, which are the leftmost columns.

Policy Analyzer is a lightweight standalone application that doesn’t require installation, and doesn’t require administrative rights (except for the “local policy” feature).

The downloadable attachment to this blog post contains Policy Analyzer, its full documentation and sample GPO sets taken from the Microsoft security configuration baselines.

[Updated 3 February 2016: download now includes representations of all Windows, IE, and Office GPOs published in the Security Compliance Manager.]

[Update: the latest version of Policy Analyzer is here.]

Comments (80)
  1. Inn VNix Ginner says:

    Thanks for your contribution!

  2. Mikael Grath says:

    Making life simpler, i love it! Good work 🙂

  3. Ron Fisher says:

    Is there a way to use this with a Group Policy Central Store? I've tried directly adding the GPO's from the store, and backing up gpo's and adding them from the backup and I keep getting an unhandled exception looking for different .adml or admx files. I can get past this if I go find a copy of the missing file and copy it to my local machine that is running this tool. I'm stuck looking for a copy of healthservice.adml. Is there any way to make it go forward without these .admx and .adml files it is looking for? Thanks!

    [Aaron Margosis] No, this version looks only in %windir%PolicyDefinitions for ADMX files and %windir%PolicyDefinitionsen-us for ADML files. And it looks like if there's an ADMX without the corresponding ADML you get an unhandled exception. That's a bug. PolicyAnalyzer should handle it more gracefully, but the workaround is to make sure that you have the corresponding ADML file in the en-us directory.

  4. Aaron, are there plans for a version which scans a Group Policy central store? Microsoft says that it's best practice to use one, and many people out there are following that recommendation, myself included.

    [Aaron Margosis] It's on the list of potential features, but not currently at the top of the priority list, particularly since it's easy enough just to copy ADMX/ADML files to some local machine for analysis. E.g., I think covering GPP might be more valuable.

  5. Justin Purdy says:

    For anybody who's getting hung up on missing healthservice.adml, you can find it in %windir%PolicyDefinitionsEN

    [Aaron Margosis] ???

    1. Doron Amir says:

      Thanks heaps. this does work. no more stupid warning messages!

  6. mike says:

    Thanks for the tool. Attempting to export on my machine results in a error: "Unable to set the FreezePanes property of the Window Class". Any ideas?

    [Aaron Margosis] What version of Office/Excel are you using?

  7. Perfect. Thanks for sharing.

  8. Martin says:

    Hmmm, does Policy Analyzer run on Win Server 2008 R2, too? If I click 'View/Compare' I get an exception error. If you want I can send the 'Details'.

    [Aaron Margosis] Yes, please send details either through the "Email blog author" link or in a comment. The main one seems to be an ADMX file in the PolicyDefinitions directory not having a matching ADML file in the EN-US subdirectory.

  9. Bumblebee says:

    I am getting the following error. I am using Excel 2010.

    [Aaron Margosis] In the current implementation, every ADMX file in the %windir%PolicyDefinitions directory has to have a corresponding ADML file in the EN-US subdirectory.

    — + — + —
    Informationen über das Aufrufen von JIT-Debuggen
    anstelle dieses Dialogfelds finden Sie am Ende dieser Meldung.

    ************** Ausnahmetext **************
    System.IO.FileNotFoundException: Die Datei "C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml" konnte nicht gefunden werden.
    Dateiname: 'C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml'
    bei System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
    bei System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
    bei System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
    bei System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize)
    bei System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn)
    bei System.Xml.XmlTextReaderImpl.OpenUrlDelegate(Object xmlResolver)
    bei System.Threading.CompressedStack.runTryCode(Object userData)
    bei System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
    bei System.Threading.CompressedStack.Run(CompressedStack compressedStack, ContextCallback callback, Object state)
    bei System.Xml.XmlTextReaderImpl.OpenUrl()
    bei System.Xml.XmlTextReaderImpl.Read()
    bei System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace)
    bei System.Xml.XmlDocument.Load(XmlReader reader)
    bei System.Xml.XmlDocument.Load(String filename)
    bei GPLookup.GPLookup_t.XDocAndNSMgr..ctor(String filename, String defNamespace)
    bei GPLookup.GPLookup_t.Initialize(String sLanguage)
    bei PolicyAnalyzer.PolicyViewer3.RowData_t.InitPolicyConfigAndPath()
    bei PolicyAnalyzer.PolicyViewer3.LoadData(NameAndPolicies_t[] nameAndPolicies)
    bei PolicyAnalyzer.PolicyViewer3..ctor(NameAndPolicies_t[] nameAndPolicies, GPLookup_t gpLookup)
    bei PolicyAnalyzer.PolicyAnalyzerMain2.btnCompare3_Click(Object sender, EventArgs e)
    bei System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
    bei System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
    bei System.Windows.Forms.Control.WndProc(Message& m)
    bei System.Windows.Forms.ButtonBase.WndProc(Message& m)
    bei System.Windows.Forms.Button.WndProc(Message& m)
    bei System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

    to be continued

  10. Zenkin says:

    Is there any chance that I can export this to a CSV or save directly to a file? I don't have Microsoft Office installed on my management machine, and it seems my only option is to directly export it to Microsoft Excel 2007 or newer.

    [Aaron Margosis] Not in the current version. If you copy the .PolicyRules file to another computer that has Excel and that has all the ADMX and ADML files in the PolicyDefinitions/en-us directories, and run Policy Analyzer there, you can get everything except for "Compare local registry" data. CSV output would lose the formatting that you can get with direct Excel export.

  11. Stan Noel says:

    Justin Purdy. I'm getting the same error. 'Could not find file 'C:WindowsPolicyDefinitionsen-usHealthService.adml'.
    Using Win7 Ent 64-bit SP1.

    [Aaron Margosis] OK, I've heard this a few times now but haven't seen it myself. Are you seeing HealthService.adml in a different subdirectory?

  12. Glenn Turner says:

    LOVE this!!! This will save us SO much time. Thank you.

  13. Karl says:

    @echo off
    for /f %%G in ('dir /b %windir%PolicyDefinitions*.admx') do if not exist "%windir%PolicyDefinitionsen-us%%~nG.adml" echo %%G

  14. Tim says:

    The HealthService.adml file is in the en directory – not the en-us directory.

    [Aaron Margosis] For now, copy it into the EN-US subdirectory. If I get to make an updated version, I'll change the ADML search logic so that it can also look for an EN subdirectory, as well as look for ADML files in the PolicyDefinitions directory itself (according to Process Monitor that's what the GP editor does). I'll also make a missing ADML file a warning for that particular ADMX rather than stop processing.

  15. Jason says:

    Aaron this is a fantastic utility. Thank you for your work.

  16. Mitch says:

    Thanks for this. Very useful. Also useful is the way you have responded to the questions about your tool. Well done!

  17. Patrik says:

    Hello, thanks very much! Is there a way to automate the import proces? Like building a CSV or XML file with list of policies and their names and only select them and compare?

    [Aaron Margosis] Well, kind of! It's not intended to be used this way, is unsupported, and some future update might change the implementation, but the PolicyRulesFileBuilder.exe is the helper process that is passed the files to process and the target .PolicyRules file to build. PolicyRulesFileBuilder.exe takes two parameters: the path to an existing tab-delimited-text file, and the path to the target file. The tab-delimited CSV contains one row for each file to process. Each row contains three columns in this order: policy type (Computer, User, Sec Template, or Audit Policy – taken from the Policy Type column of the Importer dialog); policy name (taken from the first column of the Importer dialog); and the full path to the file to parse, without quotes. Example:

    PolicyRulesFileBuilder.exe .test.csv .test.PolicyRules

    Good luck!

  18. Mikael Grath says:

    A bit of a wishfull thinking, it would be cool if you could incorporate GPP as well, i’m not sure how or in what way that would fly but it would be a needed addition 🙂 Thanks for the efforts with this tool, it’s really great!

  19. Glad to see this, Aaron. Thanks for helping fill the gap of SCM being deprecated. Glad to have something like this to which I can direct my customer’s. Nice to have the USGCB, STIG, etc. stuff readily available like that for comparison.

  20. Michaell Kolowicz says:

    Thank you for this tool. But I cannot run it on a Windows 7-64bit (GERMAN). The error message is: "System.IO.FileNotFoundException: Die Datei "C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml" konnte nicht gefunden werden.
    Dateiname: 'C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml'

    What can i do?

    [Aaron Margosis] Email me through the Email Blog Author link on this blog. I'll try to work with you on a version that supports internationalization. Thanks.

  21. Habib Mbacfou says:

    Hello Aaron, thanks for your tool. Is there any way to use your tool with powershell commands? because i'm looking for a way to automate the "policy file importer" and the rules comparaison by using powershell. Thanks in advance for your answer

    [Aaron Margosis] See Patrik's comment from Jan 30 2016 and my response there.

  22. jim says:

    First off … Great Utility!

    Would you entertain the idea of keeping the [Registry Values] section of the Security Templates separate from the HKLM Policy Type? The utility does not identify if the setting is contained in the registry.pol or the GptTmpl.inf file.

    Thanks again.

    [Aaron Margosis] Policy Analyzer canonicalizes data so that if you have something set in [Registry Values] that hits the same location as something in a registry.pol, it can report the duplication or conflict. To see the source of a setting, enable "Show GPO names and files in Details pane" in the Options dropdown.

  23. Graham says:

    Seems you're getting a lot of problems with people on non-US versions of Windows. Surely the solution is to pick the ADML search path based on the current culture's shortcode?

    [Aaron Margosis] Yes, something like that, but I'd need to test before publishing. I don't have any non-English installs to test on.

  24. brad says:

    When I export to Excel, I don't see the GPO source names, as in the GUI? Am I missing where they are exported to, or is this not exported to Excel at all?

    [Aaron Margosis] No, you're correct. Current version doesn't have it in there. Do you think it's important to add, maybe as a third export option?

    1. J Morgan says:

      Quickly chiming in– adding the GPO source names would be very helpful to me, personally. Thanks for all your work!

      [Aaron Margosis] See whether the v3.1 pre-release helps.
  25. brad says:

    Thanks for the response Aaron. I think it would be valuable to add, so that analysis can continue within the Excel output, rather than having to jump back to the tool & cross-reference the 2nd window pane where that information is available. For example, I am comparing three group policies with some similar, overlapping settings. It is nice when I see the different values for these settings to know which GPO they are coming from solely within Excel. Thanks for the great tool!

    Also, when I select "Show Differences" – it just shows Conflicts – which, I suppose could be defined as "Differences" as well. I was expecting "Show Differences" to filter out the similarities between the GPOs, and show me only the settings (& values) that are different between them? So if two GPOs set the screen saver to enabled, and only one set the hard drive to turn off after 30 minutes, I'd expect "Show Differences" to show that the hard drive setting, as well as any conflicts? Hopefully that makes sense.

    [Aaron Margosis] That's how it should work. If you have two or more GPO sets selected, and there's a GPO in one set that configures one of the "Turn Off the hard disk" settings, and none of the GPOs in the other set configure that setting, it should remain in the display when you select "Show Differences." I'd suggest unselecting the "Show Differences" and "Show Conflicts" settings, and searching for "Turn Off the hard disk". (Oh – and make sure you've actually got multiple GPO sets, and not just one GPO set that combines multiple GPOs.)

  26. brad says:

    Oooooh. I see. I added all my GPO's within a single set, and was expecting comparison if differences in that single set. I'll try out what you've outlined. Thanks!

  27. Vandrey Pereira says:

    I'm having this problem too: System.IO.FileNotFoundException: Não foi possível localizar o arquivo 'C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml'.
    Nome do arquivo: 'C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml'
    The file can't be found because I'm using Windows 10 Pro in portuguese.. The files are under C:WindowsPolicyDefinitions folder…

    [Aaron Margosis] Yes – my apologies. Known issue. Current version works only for en-us. I hope to fix that in a future version.

  28. George says:

    Hello – quick question: I have to review approximately 80 GPO's. When filtering for conflicts, does this necessarily mean that there is an issue? or does this indicate GPO's with matching settings? I am trying to improve log on times.

    Thanks in advance!

    [Aaron Margosis] No, not necessarily. It just indicates that among the GPOs there are settings that are different. If each machine has to process 80 GPOs, that might be an issue, though.

  29. markus says:


    Thank you for offering a tool like this!!
    Unfortunately I am having some issues to properly view and compare GPO settings.
    We are using a GPO to configure IE settings (for IE prior version 10)…basically settings for the different zones in IE (local, trusted, …) currently these settings are (still) configured under the “Internet Explorer Maintenance” section within the GPO. I did a backup of this GPO and imported it into Policy Analyzer and then clicked the View/Compare button. Unfortunately it just was showing me a subset of the settings which are actually configured in the GPO.
    Anything I need to do differently to properly show IE relevant settings within a GPO via Policy Analyzer?


    [Aaron Margosis] Unfortunately, Policy Analyzer doesn't have a parser for settings configured in "Internet Explorer Maintenance."

  30. George Hansey says:

    Crashes under Windows 10. Tried AD and local.

    [Aaron Margosis] When you open gpedit, do you also get error messages? They released mismatched ADMX/ADML files and haven’t fixed them yet. 🙁 Next version of Policy Analyzer will be more resilient in the face of those.
    (Sorry for the delay in responding — when they changed the blog platform I stopped getting notifications about pending comments.)
  31. Markus says:

    Does this tool have a parser for settings configured under Computer Configuration/Policies/Windows Settings/Security Settings/Wireless Network (802.11) Policies? I am asking because we have some GPÓs in place which are being used to configure WiFi settings for clients and I wanted to compare these GPOs using this tool. Unfortunately the tool is not showing me the settigns which are actually configured in those GPOs….for other GPO settings it is working properly. Thanks Markus

    1. I’ll have to look into where those policies get saved. If they get saved in Registry.pol, then Policy Analyzer will see them, although it won’t show their path in the UI.
      1. Markus says:

        Have you had a chance to check where those policies get saved?

        [Aaron Margosis] Yes, I just found out. They are stored in Active Directory:


        …which explains why it’s in AD GP but not in local GP. I don’t plan to add locations such as this to Policy Analyzer.

  32. Nicholas Miller says:

    When I attempt to import the files from my GPO backup, I get a PolicyAnalyzer error dialog window (‘|’, hexadecimal value 0x19, is an invalid character, line 5657, polition193.). After the error, PolicyAnalyzer opens up but with no content, just headers. The error message varies in line and position numbers from policy to policy, but this has happened for every one of the policies I have attempted to look at.

    [Aaron Margosis] Is that the actual error text? I don’t see anything in the source code that looks quite like that. Does the *.PolicyRules file get saved successfully? If you change the extension to *.xml, can you open it as an XML file, or is it an invalid XML file? If it’s invalid XML, can you show the full error line here? Thanks.
    1. Daniel says:

      I had the same issue, just different reported location. In my case, it turned out to be a single/certain GPO backup that was causing the issue. I was importing 100+ GPOs to it took me a bit to narrow it down to which one, but I did.

      What helped me determine this, was the fact that I was able to import 1 GPO, but not all.

  33. Sinan Kaplan says:

    I get following error when I click on the View/Compare button:


    Informationen über das Aufrufen von JIT-Debuggen
    anstelle dieses Dialogfelds finden Sie am Ende dieser Meldung.

    ************** Ausnahmetext **************
    System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
    bei GPLookup.GPLookup_t.Initialize(String sLanguage)
    bei GPLookup.GPLookup_t.GPLookup()
    bei PolicyAnalyzer.PolicyViewer3.RowData_t.InitPolicyConfigAndPath()

    [… rest of the posted error information deleted to save space …]

    [Aaron Margosis] I’m working on an update that handles non-US-English systems better, and fixes some other bugs. I apologize for the inconvenience.

    1. Sinan Kaplan says:

      Hello Aaron,

      I get following error when selecting “Local policy”:

      Unexpected Format in Audit CSV file:

      File: C:\Users\Username\Appdata\Local\tmp2089.tmp
      GPO: Local policy

      Do you what could cause the problem?

      [Aaron Margosis] It’s a dumb localization bug that I need to fix. Replace “Unterkategorie-GUID” in the audit.csv with “Subcategory GUID” and it should work. My sincere apologies for the inconvenience.
      1. Sinan Kaplan says:

        Ok, could you tell me where to find that Audit.csv file?

        And I have another problem. When I go to “GPO filter…” I can’t see my GPOs. There is just one for all without a name.

        [Aaron Margosis] First question: try “gci -Recurse -Include audit.csv” (PowerShell) or “dir /s audit.csv” (Cmd.exe). It’s usually buried in “…\Machine\microsoft\windows nt\audit”.

        Second question: Policy Analyzer gets the GPO name from Backup.xml or bkupInfo.xml (I don’t remember which) in the root directory of each GPO. If those files aren’t present or don’t have name information in them, Policy Analyzer can’t assign a name.

  34. Sebastien Boily says:

    Do you have the sample for Office 2016 ( 365)

    [Aaron Margosis] We haven’t published a baseline for Office 2016/365
  35. Mikael Grath says:

    Q: Is there any plans to, somehow, include preferences in this tool?
    I think it’s the only thing i can think of that’s missing in this, otherwise amazing, tool 😉

    [Aaron Margosis] Haven’t tackled that yet.
  36. Phil Ready says:

    Does this only work with admx policies? I backed up policies that use adm files and policy analyser sees all of them as the same.

    [Aaron Margosis] Yes, Policy Analyzer reads only ADMX/ADML files to tie GP settings back to display names.
  37. usdi says:

    When running a compare on some entries it will add \0 to the end for the option. For instance RemoveSigned\0. But, when I check the GPO option setting in the registry there is not a \0 and the option is set correct, any ideas on what might cause this?

    [Aaron Margosis] That happens with REG_MULTI_SZ values today. I’ll post a preview version of the next version shortly. It resolves that issue and several others.
  38. Joe Bruns says:

    Full support for 2016 in current version?

    [Aaron Margosis] Yes.
  39. Joe Bruns says:

    Does Policy Analyzer allow you to compare two GPO backups and show differences in a command environment (non-GUI), so i can script it and return a return code to tell our build process if our security settings match what we expect them to?

    [Aaron Margosis] No, it’s GUI-only.
  40. Jamie Salbeck says:

    I had a question about importing policies. I’ve been importing the .ini and registry.pol files separately for each policy, so they essentially display as 2 different policies, but I noticed for the Windows 10 baseline provided everything displays as one big policy, how do I get my policy to import and display like that instead as separately?

    [Aaron Margosis] It’ll probably work better for you if you “Add files from GPO(s)” instead of adding files individually.
    1. Jamie Salbeck says:

      Thanks for your response, where and what file type am I grabbing when I add files from GPO’s? Whenever I do that there’s nothing for me to grab.

      [Aaron Margosis] With “Add files from GPO(s),” you select the root directory (folder) containing the GPO backups you want to analyze. It searches the root’s subdirectories for Registry.pol, GptTmpl.inf, and Audit.csv files. It also looks for XML files that contain GPO names to associate with the files.
  41. Bobby_at_WB says:

    Excellent! Is there any way to create the .PolicyRules files from Group Policy modelling or Group Policy results (preferably from the AD Group Policy MMC)?

    [Aaron Margosis] No, not at this time.
  42. Dmitry says:

    Thanks. But not all policys added to compare. I have 360 policys, and added only 250 policys.

    [Aaron Margosis] Can you add some context or details?
  43. Julio González says:

    Excellent Tool. I was wondering if it is still in pre-release, or if it is published as a final version to download (maybe with some more improvements). Thanks!!

    [Aaron Margosis] Updated version available here:
  44. Flynn says:

    Hi, I cant seem to convert the file to .policyrules? how do i export that and add to the policy analyzer? thanks!

    [Aaron Margosis] Convert what file to .policyrules? The instructions describe how to import data from GPO files and backups.
  45. deanwarrenuk says:

    What does [[[delete]] mean when shown against a policy? Is this a duplicate that needs deleting, is it deprecated and need deleting, etc…?

    [Aaron Margosis] It means that there is a command encoded into the registry.pol file to delete the specified registry value as part of policy processing. Registry.pol follows a documented binary file format that simply encodes a series of registry commands. More info here.
    1. deanwarrenuk says:

      I see… thanks

  46. deanwarrenuk says:

    Why can I backup up this specific security policy (shown below), but cannot apply it?
    security settings\local policies\user right assignment\log on as a batch job

    lgpo.exe /b c:\mybackup
    lgpo.exe /g c:\mybackup

    [Aaron Margosis] Because of numerous limitations (bugs) in secedit.exe, which LGPO.exe uses to export security configuration settings. IIRC, it won’t export a user rights assignment that is empty. 🙁 The bug has been reported.
    1. deanwarrenuk says:

      Ah OK, no problem. Thanks

  47. Imre says:

    Q: In the Policy Viewer window what does “[[[delete]]]” and “[[[create key]]]” mean? See sample below:
    HKCU Software\Policies\Microsoft\Office\Common\security uficontrols 4 [[[delete]]]
    HKCU software\policies\microsoft\office\common\smart tag neverloadmanifests 1
    HKCU Software\Policies\Microsoft\SystemCertificates\Trust\Certificates [[[create key]]]
    HKCU Software\Policies\Microsoft\SystemCertificates\Trust\CRLs [[[create key]]]
    HKCU Software\Policies\Microsoft\SystemCertificates\Trust\CTLs [[[create key]]]
    HKCU Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates [[[create key]]]
    HKCU Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs [[[create key]]]
    HKCU Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs [[[create key]]]
    HKCU Software\Policies\Microsoft\Windows Mail DisableCommunities 1 1

    [Aaron Margosis] The registry.pol file format is a series of registry commands that can include “create a key,” “delete a value,” etc. The entries you see represent such commands in the analyzed registry.pol files.
  48. Yoshihiro Kawabata says:

    Thank you.
    I hope the documents of Policy Analyzer in Japanese for share with our customers/partners/friends.
    Yoshihiro Kawabata

  49. James Sutherland says:

    This looks useful, but the download site seems to be broken at the moment (I just get “You have not selected any file(s) to download” – there is a list of filenames on the left, but no way to select anything, whether I use Chrome, Edge or IE). Any chance of an alternative/working link please Aaron?

    [Aaron Margosis] Looks like it’s working now. Is it still failing for you?
  50. Amazing tool. The parts I’ve already figured out work nicely. Is it possible to convert or import the SCM baseline CAB files (2008 and IE in particular to use as PolicyANalyzer policy sets?
    Thanks very much.

    [Aaron Margosis] Export the GPOs from SCM, then import them into Policy Analyzer. Or just use the .PolicyRules files that come in the Policy Analyzer zip file — that’s how they were created.

  51. nahab says:

    This is great, but I’m getting an unhandled exception: “Object reference not set to an instance of an object”? Here are the error details:

    See the end of this message for details on invoking
    just-in-time (JIT) debugging instead of this dialog box.

    ************** Exception Text **************
    System.NullReferenceException: Object reference not set to an instance of an object.
    at PolicyAnalyzer.PolicyViewer3.RowData_t.InitPolicyConfigAndPath(GPLookup_t gpLook)
    at PolicyAnalyzer.PolicyViewer3.LoadData(NameAndPolicies_t[] nameAndPolicies)
    at PolicyAnalyzer.PolicyViewer3..ctor(NameAndPolicies_t[] nameAndPolicies, GPLookup_t gpLookup)
    at PolicyAnalyzer.PolicyAnalyzerMain2.btnCompare3_Click(Object sender, EventArgs e)
    at System.Windows.Forms.Control.OnClick(EventArgs e)
    at System.Windows.Forms.Button.OnClick(EventArgs e)
    at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
    at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
    at System.Windows.Forms.Control.WndProc(Message& m)
    at System.Windows.Forms.ButtonBase.WndProc(Message& m)
    at System.Windows.Forms.Button.WndProc(Message& m)
    at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

    ************** Loaded Assemblies **************
    Assembly Version:
    Win32 Version: 4.7.2101.1 built by: NET47REL1LAST
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
    Assembly Version:
    Win32 Version: 3.2.1705.29001
    CodeBase: file:///C:/Users/a217312/Desktop/Working%20Projects/1.2017%20GPO%20Cleanup/PolicyAnalyzer/PolicyAnalyzer.exe
    Assembly Version:
    Win32 Version: 4.6.1586.0 built by: NETFXREL2
    CodeBase: file:///C:/windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
    Assembly Version:
    Win32 Version: 4.6.1647.0 built by: NETFXREL3STAGE
    CodeBase: file:///C:/windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
    Assembly Version:
    Win32 Version: 4.6.1586.0 built by: NETFXREL2
    CodeBase: file:///C:/windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
    Assembly Version:
    Win32 Version: 4.6.1586.0 built by: NETFXREL2
    CodeBase: file:///C:/windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
    Assembly Version:
    Win32 Version: 4.6.1647.0 built by: NETFXREL3STAGE
    CodeBase: file:///C:/windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
    Assembly Version:
    Win32 Version: 4.6.1586.0 built by: NETFXREL2
    CodeBase: file:///C:/windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll

    ************** JIT Debugging **************
    To enable just-in-time (JIT) debugging, the .config file for this
    application or computer (machine.config) must have the
    jitDebugging value set in the section.
    The application must also be compiled with debugging

    For example:

    When JIT debugging is enabled, any unhandled exception
    will be sent to the JIT debugger registered on the computer
    rather than be handled by this dialog box.

    Any ideas?


    1. nahab says:

      And.. nevermind, it looks like it was a broken ADMX! Thanks!

      [Aaron Margosis] This sounds like a Policy Analyzer bug that was fixed a long time ago. Make sure you pick up the latest version of Policy Analyzer:
      1. DTU says:

        Hi Aaron, I’m getting the same error (System.NullReferenceException: Object reference not set to an instance of an object.) with the latest downloaded PolizyAnalyzer (v3.2.1705.29001). Any clues how to find the broken ADMX file, or otherwise debug?

        [Aaron Margosis] Try running Sysinternals Process Monitor (Procmon) and see which ADMX/ADML files it has processed when it hits that error.
  52. Harjeet Singh makkar says:

    I backed up all the GPO’s and for some reason when I import the GPO’s I don’t see all of them . So I manually backed up missing one via backup-gpo and save in same location. Imported again and compare still I don’t see missing ones

    [Aaron Margosis] Policy Analyzer captures only the content that lands in registry.pol (administrative templates, firewall settings, AppLocker, and a few other things), security templates, and advanced auditing setting. If you have policies that include Group Policy Preferences, startup/logon/logoff/shutdown scripts, and other such artifacts, Policy Analyzer doesn’t captures those.
  53. Charlie says:

    I have pulled my GPO backups in and the only data is from the registry. I don’t get the policy path. Without the policy path, the registry key information is not helpful. I have also tried to find the supposed difference reported by this tool in the actual HTML format of the GPO and it isn’t there. Any ideas what I may be missing?

    [Aaron Margosis] Make sure to point Policy Analyzer to the correct ADMX repository.
  54. Hi Aaron, great tool!
    Do you know if the PolicyRules for MSFT-Win10-v1703-RS2 and MSFT-Win10-v1709-RS3 will be available as SamplePolicyRules?
    Also is there any way to create a .policyrules from the group policies results (ex: Windows 10 Version 1703 Security Baseline\Windows 10 RS2 Security Baseline\GP Reports)?

    thank you.

    [Aaron Margosis] We haven’t re-released Policy Analyzer with content representing those baselines, but it’s easy to create them when you have downloaded the new baselines. Just point Policy Analyzer at the GPOs directory and build a rule set from it.
    1. Nas says:

      Hi Aaron,
      What are the meaning of different numbers for Options, I mean how to understand the value provided in option field during comparison

      [Aaron Margosis] Settings are shown in two ways: the actual registry data that gets written (e.g., DWORD 2) and the human-language option associated with that value (e.g., “Highest protection”).
  55. John19741 says:

    Is there any alternative that MS do instead of this tool that hasn’t been retired? Without support for Group Policy Preferences or the ability to map back Registry settings to actual GPO settings in the description then there’s not a lot you can actually do with this tool. How on earth are you supposed to get a GPO setting from “HKCU Software\Policies\Microsoft\Windows\Personalization ThemeFile” I know its a User setting but there are quite a few to choose from so without being told the path this tool is pointless.

    [Aaron Margosis] Policy Analyzer does map registry values back to GPO paths and names, both in the Details Pane and in “Export all data to Excel.” It can also show the Explain text for the setting. If the mapping isn’t taking place then you must not be pointing to the correct ADMX files. See the documentation for more about that. (Oh, and the registry path you mentioned maps to User Configuration\Control Panel\Personalization, Load a specific theme.)

    Support for Group Policy Preferences is something we’d like to add. That said, the retired Security Compliance Manager didn’t support GPPs either.

  56. Um, this is probably great and all, but how does one use it to compare the policies that have been applied to two windows servers for differences?

  57. Pjay1980 says:

    Hi Aaron,

    I’m having some problems importing a user group policy from a backup. I can use that same backup to import settings into a new group policy, even backing up the new policy doesn’t allow me to import it into the Policy Analyzer. Do you have any recommendations?

    I’m using version 3.2.18


    [Aaron Margosis] What kinds of problems are you having? Note that Policy Analyzer looks only for certain files, and that those don’t include Group Policy Preferences. If you have a GPO made up only of GPP settings, it won’t get included.
  58. Michaael K says:

    Hello, is there any way to create my own policy settings? Or do I have to use all the settings created by Microsoft? For example: I have a software that needs a few security and system settings to work best. Security settings such as: only chosen usb devices can connect or system settings such as: a resolution of full HD or deactivated games. By creating my own policy settings I could check with the policy analyzer, if all the settings are done correct or if i have to change settings. And I could view differences very easy.
    Thank you in advance.

    [Aaron Margosis] Yes, you can use these tools with your own GPO settings.
  59. John19741 says:

    I imported a GPO with the loopback Merged setting enabled and the tool completely fails to list any of the Folder Redirection policy under the “User” section of the GPO.

    [Aaron Margosis] Folder Redirection settings aren’t stored in any of the file types that Policy Analyzer works with. Policy Analyzer processes registry policy files (e.g., registry.pol), advanced auditing CSV files (e.g., audit.csv), and security template files (e.g., GptTmpl.inf).
    1. John19741 says:

      So the Group Policy Analyzer can’t analyse group policy? I need to double check but it looks like its also missing other merged loop back settings such as OutLook Cached mode.

      So is there a tool that can be used to analyse GPO’s in their entirety so all GPO settings can be gathered and matched?

  60. rimetree says:

    Not sure if this has been asked or suggested but it would be nice to be able to see where user and computer configuration policies conflict with each other. For example, if I look at IE security settings in one policy where the admin set those policies in the user configuration, and compare that to a policy where IE security is set in the computer configuration, it would be nice to see the conflicts.

  61. I need to compare group policies applied on 2 systems (Windows 7 & 10) to find where is the mismatch. I have executed the ‘Group Policy Result’ on both systems and exported he data XML format later renamed with *.PolicyRules extension,However I am not able to view policy settings in Policy Viewer pane.
    I am new to this tool and don’t know where I am going wrong. Please guide.

    [Aaron Margosis] Policy Analyzer can’t ingest GPO reports or gpresult reports. It ingests GPO backups.
  62. Chris2275 says:

    Is there a way to import XML reports from GPO to look for differences between the two report or do you need to first import the XML reports into something like excel and then convert them into csv files to import into Policy Analyzer?

    [Aaron Margosis] Policy Analyzer can’t ingest GPO reports or gpresult reports. It ingests GPO backups.
  63. RAJU2529 says:

    Thanks sir for the information , Just now I downloaded latest tool from added link .

  64. Jonnyc109 says:

    I’ve literally never been able to use this tool. I get errors when trying to import my backed up GPOs. I get errors when trying to import registry and local policy. Basically errors all the time with no real explanation…

    Invalid File Format. Expected headers not found


    Index was outside the bounds of the array

    [Aaron Margosis] Need more details than that to diagnose. Are you sure you have the latest version, and followed the instructions in the documentation to the letter? Are you trying to read GPO reports instead of GPO backups?

    Note that this site is going to become read-only soon, so this conversation will have to move to the baselines discussion space. More info here.

Comments are closed.

Skip to main content