Policy Analyzer v3.1 PRE-RELEASE


Lots of updates to Policy Analyzer in this unsigned, pre-release preview build — please post comments here to let me know how well it addresses your needs and what else it could add.

Download here: PolicyAnalyzer.zip

Please see the description of the original Policy Analyzer here for context.

Partial list of improvements:

  • Uses localized text correctly in most instances instead of US English.
  • Option to specify different directory for Policy Definition (ADMX) files.
  • Option to display explanation text with settings.
  • PowerShell scripts to split or merge Policy Rules files.
  • Better mapping to policy paths.
  • Option to show GPO names without GPO file paths.
  • Added support for REG_QWORD values.
  • Cleaner, less-noisy output.

Comments (15)

  1. Jaime Portero says:

    Hi Aaron,

    First of all thanks a lot for this tool, is helping us a lot in GPO documentation and identifying discrepancies in a huge Enterprise environment.

    In our environment due to some business needs, great part of our configuration is done through Group Policy Preferences. I wonder if you have any plan to extend the Policy Analyzer capability to parse the Preferences xml files.

    Do you have any plan in this area?

    thanks a lot
    Jaime Portero

    [Aaron Margosis] Looking into it.
  2. James Tuson says:

    Agree with [Jaime Portero October 24, 2016 at 7:30 am.]
    A lot of things I see online keep pushing us to use preferences. But most of the tools for troubleshooting Group Policy don’t support preferences. E.g. rsop.msc you can’t see preferences. Very frustrating.

  3. Ivan Kukalo says:

    Hi Aaron, also thanks a lot for this tool!
    Got an error when checking local policy setting. Privilege Use/Non Sensitive Privilege Use and some other local audit policy settings are null, some local audit policy setting are filled.
    —————————
    Policy Rules File Builder
    —————————
    Unexpected format in Audit CSV file:
    COMP,System,Èñïîëüçîâàíèå ïðàâ, íå çàòðàãèâàþùåå êîíôèäåíöèàëüíûå äàííûå,{0CCE9229-69AE-11D9-BED3-505054503030},Íåò àóäèòà,,0
    File: C:\Users\kukaloia\AppData\Local\Temp\tmpDCD3.tmp
    GPO: Local policy
    —————————
    ОК
    —————————

    1. Ivan Kukalo says:

      As I see, problem lines in C:\Users\kukaloia\AppData\Local\Temp\tmpDCD3.tmp looks like this (Russian):
      WCS01-SIB-11,System,Использование прав, не затрагивающее конфиденциальные данные,{0CCE9229-69AE-11D9-BED3-505054503030},Нет аудита,,0
      WCS01-SIB-11,System,Другие события использования прав,{0CCE922A-69AE-11D9-BED3-505054503030},Нет аудита,,0

      1. Ivan Kukalo says:

        I think, it’s a comma parsing error, in English this audit parametr is calling
        Non Sensitive Privilege Use
        But in Russain:
        Использование прав, не затрагивающее конфиденциальные данные

  4. Ivan Kukalo says:

    Hi Aaron, also thanks a lot for this tool!
    Got an error when checking local policy setting. Privilege Use/Non Sensitive Privilege Use and some other local audit policy settings are null, some local audit policy setting are filled.
    Policy Rules File Builder
    Unexpected format in Audit CSV file:
    COMP,System,Èñïîëüçîâà íèå ïðà â, íå çà òðà ãèâà þùåå êîíôèäåíöèà ëüíûå äà ííûå,{0CCE9229-69AE-11D9-BED3-505054503030},Íåò à óäèòà ,,0
    File: C:\Users\kukaloia\AppData\Local\Temp\tmpDCD3.tmp
    GPO: Local policy
    As I see, problem lines in C:\Users\kukaloia\AppData\Local\Temp\tmpDCD3.tmp looks like this (Russian):
    WCS01-SIB-11,System,Использование прав, не затрагивающее конфиденциальные данные,{0CCE9229-69AE-11D9-BED3-505054503030},Нет аудита,,0
    I think, it’s a comma parsing error, in English this audit parametr is calling
    Non Sensitive Privilege Use
    But in Russain:
    Использование прав, не затрагивающее конфиденциальные данные

    [Aaron Margosis] Interesting. I’ll look into that. I’ll follow up offline to your email address about getting a copy of that audit.csv, too. Thanks.
  5. Fabian Bader says:

    Hi Aaron,

    great piece of software.
    Would it be possible to include support for exporting the GPO comments in the next version.
    As well as other readers I really would like to see support for the “Preferences” section. It would allow easier documentation of policies and would make it unnecessary to document those separately.

    [Aaron Margosis] Thanks! I’ll look into capturing the comments – no one has ever asked for that before. Definitely looking into GPP.
    1. Patrick Singletary says:

      +1 Exporting Comments! We like GPOs to be self documented + use comments on unconfigured policies to point to the policy where it is configured.

  6. Neil Armstrong says:

    Is there a central site/page for this tool so I don’t have to rely on a search finding the latest version (I don’t even know if 3.1 is still the latest version)?

    [Aaron Margosis] Not yet – we’re looking into delivering it from the Download Center and linking to it from the Security Guidance landing page.
  7. Jacqui Hurst says:

    Hi, Not sure if I am doing something wrong but I was hoping to point the tool at a backup of the GPOs and for it to create a separate Policy Set for each GPO, i.e. column per GPO in the comparison. Can this be done and am I just doing something wrong or do I have to add each GPO individually? We have lots to compare the settings/document so would like to see what each policy has set and then export to Excel.

    Its still a very useful tool and I can see me using it just to get a view of conflicting settings. Thanks

    [Aaron Margosis] “Add files from GPO(s)” pulls everything it finds into one set. If you have a lot of GPOs, importing them one by one might take a while. Take a look at the Split-PolicyRules.ps1 PowerShell script in the .zip file. Given a .PolicyRules file that combines multiple GPOs, the script creates a separate .PolicyRules file for each GPO. Example using the v1607/Server2016 baseline we recently published:
         Split-PolicyRules.ps1 .\MSFT-Win10-RS1-Srv2016.PolicyRules .\MSFT-Win10-RS1-Srv2016
    Produces these files:
         MSFT-Win10-RS1-Srv2016-SCM Internet Explorer 11 – User.PolicyRules
         MSFT-Win10-RS1-Srv2016-SCM Windows Server 2016 – Domain Controller Baseline.PolicyRules
         MSFT-Win10-RS1-Srv2016-SCM Windows 10 and Server 2016 – Credential Guard.PolicyRules
         MSFT-Win10-RS1-Srv2016-SCM Windows 10 RS1 – User.PolicyRules
         MSFT-Win10-RS1-Srv2016-SCM Windows Server 2016 – Member Server Baseline – Computer.PolicyRules
         MSFT-Win10-RS1-Srv2016-SCM Windows 10 RS1 – BitLocker.PolicyRules
         MSFT-Win10-RS1-Srv2016-SCM Windows 10 RS1 – Computer.PolicyRules
         MSFT-Win10-RS1-Srv2016-SCM Windows 10 and Server 2016 – Domain Security.PolicyRules
         MSFT-Win10-RS1-Srv2016-SCM Internet Explorer 11 – Computer.PolicyRules
         MSFT-Win10-RS1-Srv2016-SCM Windows Server 2016 – Member Server Baseline – User.PolicyRules
         MSFT-Win10-RS1-Srv2016-SCM Windows 10 and Server 2016 – Defender.PolicyRules
    1. Jacqui Hurst says:

      Brilliant, thanks. We found that, very useful. Saved me loads of time.

  8. Jacqui Hurst says:

    Hi,
    I’ve been using the tool to compare GPOs but I’m not sure if I’m doing something wrong as the results in a View/Compare don’t appear to show many of the settings.
    I’m comparing Office settings for two different versions. I’ve done a view compare and then copied all the settings out to Excel to manipulate. What I found was that some of the settings just aren’t listed.

    Examples are

    Administrative Templates\Microsoft Outlook 2013\Miscellaneous\Microsoft Outlook\List of managed add-ins
    Administrative Templates\Microsoft Outlook 2013\Account Settings/Exchange/Automatically configure profile based on Active Directory Primary SMTP address

    What I have done is the following

    I’ve backed up the two GPOs I’m interested in.
    Click Add and selected Add files form GPOs
    Selected the folder with the GPOs in
    Selected Each GPO individually and selected Import and created a new Rule set in a new folder
    Updated my Policy Rule set to the rule set folder.
    I’ve then selected the two and compared.
    I’ve also looked at them individually.

    If I check the rule set text file a quick search does not show anything related to the examples above.

    Is this an error on my part, a limitation or a problem? If there are so many settings missing I’m not sure I can rely on the results as a comparison. Hopefully it is something I am doing wrong.

    1. Jacqui Hurst says:

      Think it might be something I’ve done. I did the export again from the GPO and found my Addins and the Account settings might be in a different registry key than I was looking at. My first export I got 55 settings, in my second I got 58. So please ignore this I’ll go away and check the settings again and see if I can match the registry key to the policy. Doh!

      I did notice it doesn’t show scripts that are run, is this possible to export too, along with everyone desire for Preferences?

      Thanks

  9. Jacqui Hurst says:

    Hi
    I’ve noticed on one of my policies it shows a HKCU setting in the policy but if you look at the policy in the GUI, there are no HKCU settings.
    The setting is Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSave TimeOut

    This is a new policy I created, who’s source was an existing policy which did not have this setting. When I look at the source policy in the tool there are no HKCU settings, as expected.

    Any ideas where this might be referencing?

    [Aaron Margosis] HKCU (HKEY_CURRENT_USER) is set by User Configuration. That registry value is configured through User Configuration\Administrative Templates\Control Panel\Personalization\Screen saver timeout.
    1. Jacqui Hurst says:

      ****end user error*****
      I’m guessing something merged in my policy rules for two of the GPOs. Re did my GPO import and its gone

Skip to main content