Detecting Group Policy Settings Drift Using GPO Exporter [VIDEO]
This week we’ll be releasing an minor update to our GPO Exporter product. One of the cool things that we’re adding to this release is the ability to generate GPO settings snapshots using PowerShell. The GUI version of the product already includes the ability to export settings and save them off to snapshots that can be loaded and viewed later. And, GPO Compare 2.5 already includes the capability to compare differences in Exporter snapshots. The result of these two capabilities is that the combined Reporting Pak of Exporter and Compare provide you with a quick and powerful way to detect drift in GPO settings at two or more moments in time.
Let’s look at how this works. In the new version of Exporter, we can use the PowerShell cmdlet, Export-SDMGPSettings, to export all settings across all GPOs in a given domain to an Exporter snapshot file. We can also include metadata associated with GPOs, which includes locations where that GPO is linked, permissions on the GPO, created and modified dates on the GPO, and status of the GPO. Given that the export runs in PowerShell, we can use the Windows Task Scheduler to schedule these snapshots on a daily basis.
Using GPO Compare, we can then compare up to 4 Exporter snapshots to see what settings (and metadata) have changed from one point in time to the next! The video attached to this blog posting shows how you can do this in practice, using the products of the Reporting Pak!