Select Page

One of the cool things we added in the new version of GPO Compare 2.0 was support for a PowerShell interface. GPO Compare 2.0 is all about letting you compare GPO settings across two live or backed up GPOs. The PowerShell interface lets you perform these comparisons in bulk! The product ships with a cmdlet called Compare-SDMGPO which, in the simplest form, lets you do something like this:

Compare-SDMGPO -GPONameA “Default Domain Policy” -GPONameB “Default Domain Controllers Policy”

This command above, as it implies, will compare the settings in the Default Domain Policy GPO with those in the Default Domain Controllers Policy GPO in the current domain. The output of the comparison is a custom object that contains the path to the setting, the value in GPO A, the value in GPO B and the type of diference the item is (e.g. different between A & B, missing in A or missing in B). An example of the output is shown here:

Example output of a GPO Comparison in PowerShell

The cmdlet also provides other options, similar to the GUI. For example, you can pick different domains to compare GPOs against, you can compare both live and backup GPOs and you can alter the delimiter in the GPO path from the default “|” character to anything you choose. You can also choose to include or exclude (the default) metadata associated with the GPO. Metadata are things like links, security filters and GPO status.

The power of this cmdlet is in it ability to support bulk comparisons. For example, if you wanted to compare a large number of GPOs, it could be tedious to do that through the UI, but with PowerShell and Compare-SDMGPO, its a snap. And, if you want to output your comparisons to CSV, PowerShell makes it easy, like so:

compare-sdmgpo -GpoNameA “Default Domain Policy” -GpoNameB “Default Domain Controllers Policy” | export-csv c:datacompare1.csv

Gotta love when two great technologies–PowerShell and Group Policy–come together!

Darren