It seems like a logical thing to be able to do–you have a bunch of GPOs and you want to search for settings across them. In fact, it turns out to be a fair bit of work with native tools. It’s true that Microsoft has provided, for a while now, an Azure-based website that provides the equivalent of the Group Policy ADMX settings spreadsheet in an online, searchable database. This allows you to search for policies in the standard ADMX files. It’s really useful to answer that question, “I wonder if there is an Administrative Template setting that does X?”. However, it doesn’t help at all if you are trying to answer the question, “I wonder if setting X has been deployed in MY GPOs in my environment?”.
To answer that kind of question, we have the GPO Exporter product. Exporter is our Group Policy inventory and analysis tool, that provides powerful insight into what is happening in your GP environment. And, amongst its many features, it has a PowerShell interface that allows you to perform scripted queries of GPO settings across many, many GPOs. The Exporter PowerShell cmdlet is called export-sdmgpsettings and it is straightforward to use. For example, let’s say I know I can no longer use IE Maintenance policy, because Microsoft has deprecated it. So, I want to find out where all the IE Maintenance exist within my environment. In medium to large environments with hundreds or even thousands of GPOs, this would be an incredibly time-consuming processing. However, with the Exporter PowerShell cmdlet, it’s a snap. The following command will do the trick:
[codebox lang=”ps”]
export-sdmgpsettings -all -PolicyAreas “Internet Explorer Maintenance”
[/codebox]
Or, let’s say we want to get more specific about the search. Perhaps we want to search for all the places a particular security group is used in Group Policy, because that group is about to be retired. With Exporter, we can not only search setting path descriptions, but we can also search on setting values. This would look something like this:
[codebox lang=”ps”]
export-sdmgpsettings -all | where {$_.SettingValue.Contains(“Marketing Users”)}
[/codebox]
And sure enough, when I ran this search, it came up with a list of GPOs and settings that contained that group name, including User Rights Assignment policy, Restricted Groups policy and even Item-level targeting of the group in a GP Preferences Drive Mapping, as shown here:
And while I’ve shown this powerful search capability in PowerShell, it’s also available in the GUI. Hopefully this is helpful to some of you out there, looking to get a handle on exactly what is going on in your Group Policy environment!
Darren