In this video, SDM Software (www.sdmsoftware.com) CTO & Founder Darren Mar-Elia shows how you can use the GPO Reporting Pak–composed of GPO Compare and Exporter, to detect changes within a Group Policy environment.
Detecting Group Policy Changes and Drift Using SDM Software’s Reporting Pak
Darren Mar-Elia: Hi. This is Darren Mar-Elia, CTO and Founder of SDM Software. And today I’m gonna give you a quick demo that shows the capabilities of our GPO Reporting Pack composed of the GPO Exporter and GPO Compare products of detecting group policy settings drift within your environment. So determining from one time to the next what’s changed within group policy?
The new feature that we’re adding in the GPO Exporter that should be out shortly gives us the ability using the exporter power shell command with export SDMGP settings to now save off exporter snapshot files. So you can run this in, for example, task scheduler on a regular basis, let’s say every night, to grab all the settings within your environment. The Command Lite that I’m using here uses the all parameter to include all GPOs, the metadata perimeter to include metadata, which is things like GPO links, GPO permissions, modified date version, et cetera, the snapshot path which tells me where to store my snapshot files, and the snapshot comment perimeter which gives a little comment that lets you identify this particular parameter or this particular snapshot.
And I’m piping this out dash null because I want — I don’t want all of the settings to appear on the screen. I just want them to go to the snapshot file. So I’m gonna go ahead and hit enter here. And what this is doing is it’s going out to my existing domain, which there’s about 250 GPOs in this environment and probably about a quarter of a million settings, individual settings, including metadata. And it’s going out and grabbing all those settings and storing them in the snapshot file. So all of the GPO settings within my environment from folder [inaudible 01:46] directions, software installation, admin templates, GP preferences, security settings across all GPOs are being stored in this snapshot file.
And when that completes, what I’ll do is I’ll go into my environment and make a change to group policy and then you can see — I’ll do another snapshot and you can see how the capabilities of the exporter and specifically compare, let you see the differences. So now, the snapshot is completed. I’ve got a snapshot file out there in my snapshot folder. I’m gonna go ahead and bring up GPMC. And I’m gonna just pick a GPO since I took a snapshot of all GPO’s in the environment. I’m gonna go ahead and pick a GPO, this admin template GPO, and let’s go ahead and just make any old random change. Now, keep in mind I’ve got literary hundreds of GPOs and thousands of settings in this environment, so that at any given moment I might not know who or what has been touching this environment. But now, I’ve made a change.
The other thing I’m gonna do is I’m actually going to unlink this GPO from the sales OU. So I’m gonna delete this link. So now this link is gone, the setting in it is changed, how do I figure out what’s happened in the environment? What I’m gonna do is come back to power shell and rerun this command that I just ran before. But now it’s gonna go grab all the settings that exists as of this moment in time as supposed to the original one. And I didn’t change the comment but what I would’ve done here is put in after the change to indicate that this template or this snapshot has changed. I’m gonna let that run and it’s going through doing the same thing that the first command run which is to go grab all the settings, grab all the metadata, links, and permissions, and such from the environment, store them in a snapshot file.
Now, let’s go ahead and give that a few seconds to run. Okay. Now, I’ve got my two snapshots. What I’m gonna do is come into GPO — sorry — GPO Compare and I’m gonna say start a new compare. And instead of comparing live GPOs, I’m gonna compare to explore snapshots. And I’m gonna go ahead and browse to where I stored my snapshot under C:, data, GPO drift, and I’ve got these two snapshots here. Now, the names — the filenames of the snapshots gave away which one came before the other one.
So, this first one here was at 116, so I know that that’s my first one. If I had changed the command I would have been able to tell more easily. But I know this is my first one or my base line. And I’m gonna go ahead and choose the second one to compare it against. And now, I’ve got these two GPO snapshots that I’m comparing. And I’m gonna go ahead and run the comparison. And now GPO Compare is running through all the settings and all the metadata across both snapshots to determine where there’s differences.
Okay, now, let’s look at the results. We see here that the first sets of lines that we are viewing are the differences between the baseline and the differential snapshot or the change snapshot show things like modified time, different computer version, different — and then here is our link that was shown as enabled and enforced in the baseline but totally missing in the second GPO. So we can see that that link changed. And then down below here, here’s our setting that we changed, this download missing com component being set to enabled in this GPO, in this administrative template GPO. So we see the setting path, we see the differences in the two snapshots.
So this is how using GPO Compare you can quickly and easily get to and see things like differences in metadata links, permissions, modified time, when was this thing changed, as well as just viewing setting changes. So GPO Compare and GPO Exporter provide a really powerful mechanism for detecting GPO drift within your environment.
Thanks for watching the video and you can get more information about the products by visiting our website at www.sdmsoftware.com or you can down evaluations of each product. Thanks very much.