One of the cool things about our GPO Compare product is it’s support for PowerShell. The product ships with a PowerShell cmdlet called Compare-SDMGPO that lets you compare live and backed-up GPOs–just like the GUI. We can use this capability to automate the comparison of live GPOs to baseline backups. For example, let’s say you have a baseline template GPO backup from one of Microsoft’s best practices security guides and you want to know if your live GPOs are deviating from that. You can very easily create a PowerShell script that checks the baseline backup against live GPOs. If you put this in a Scheduled Task to run periodically, and leverage the PowerShell Send-MailMessage cmdlet to notify you when changes are detected, you have a ready-made “early-warning system” for GPO changes against a baseline. Here’s what a script like this would look:
$diff = (Compare-SDMGPO -BackupIDA “{A059FCE4-310F-4618-B8B9-F62053D4C464}” -LocationA “C:\data\gpbackups\Baseline” -GPONameB “Desktop Policy”) if ($diff -ne $null) {Send-MailMessage -To gpochanges@cpandl.com -Subject “A GPO was changed from the baseline” -From admin@cpandl.com -Body $diff -SmtpServer “smtp.cpandl.com”}The first line calls Compare-SDMGPO and compares a GPMC backup of a Baseline GPO (indicated by the -BackupIDA and -LocationA parameters) to a live GPO called “Desktop Policy” that was created from the backup and we assign the results of the comparison to the variable called $diff. In the second line, we test to see if $diff is not equal to null (meaning that there are differences). If we find it has differences, we call Send-MailMessage to send an email to a distribution list and we put the $diff object into the body of the email.
Darren