Sep 17 2010

Powershell: Search setting in GPOs

In this article we will describe how to search for a GPO matching several settings with Powershell. In this post and this one Lindsay Harris describes how to achieve this by exporting GPO reports in XML format and parsing the output. The principal advantage of her method is that you can input very precise search critera, but the disadvantage is that the script time processing can be very long because you need to export XML reports for every GPO in your domain. The method I will describe is more efficient in terms of script time processing but your search critera will be limited.

As described in a recent post written by Florian Frommherz there is a GPO search box in GPMC, if you need more information on how to use it you can watch this technet video. Searching a GPO matching a parameter can be done really quickly but this function is limited because you can only choose the settings from a dropdown list. The purpose of this post is to do the same search with Powershell, in order to do some processing on the GPOs matching our search critera by using Group Policy CmdLets.

In order to retrieve the request used by the GPMC to search for a particular GPO setting we will enable the verbose logging for this console. Let’s search for all GPOs having the user setting “Folder Redirection” enabled:

Just after that we open the log file %TEMP%\gpmgmt.log and have a look at the information generated by GPMC verbose logging :

[VERBOSE] CGPMSearch::DumpCriteria(): Dumping 1 criteria ================
[VERBOSE] CGPMSearch::DumpCriteria(): Property: “gpoUserExtensions”
[VERBOSE] CGPMSearch::DumpCriteria(): Operation – Contains
[VERBOSE] CGPMSearch::DumpCriteria(): Value (string) “{25537BA6-77A8-11D2-9B6C-0000F8080861}“.
[VERBOSE] CGPMSearch::DumpCriteria(): End criteria dump ==================

It looks like the search filter is an LDAP attribute of the GPO object located under “CN=System,CN=Policies,DC=%domain%“, we will use adsiedit.msc to obtain more details:

The gPCUserExtensionNames attribute has the following format [%GUID1% %GUID2% ….], where GUID is a constant that tells you which GPO setting is enabled for the GPO.
In our example {25537BA6-77A8-11D2-9B6C-0000F8080861} is the GUID corresponding to the extension name for folder redirection.

For the computer configuration of the GPO it works the same, but the attribute is gPCMachineExtensionNames. In order to identify the different GUIDs for each setting we run every query on the dropdown list of the GPMC and analyse the %TEMP%\gpmgmt.log file. There are 30 user configuration settings and 35 computer configuration settings. Here are the results in the Excel file below:

Once we have collected all the GUIDs it is very simple to search for a GPO using PowerShell and the Get-ADObject CmdLet. If we want to search for all the GPOs having the folder redirection setting enabled we filter by ObjectClass=GroupPolicyContainer and gPCUserExtensionNames containing the string {25537BA6-77A8-11D2-9B6C-0000F8080861}:

$ObjGPOs = Get-ADObject -Filter {(ObjectClass -eq "groupPolicyContainer") -and (gPCUserExtensionNames -like *{25537BA6-77A8-11D2-9B6C-0000F8080861}*)}

If the result $ObjGPOs is not void, we use Get-GPOReport CmdLet to print a HTML report of the GPOs matching our search critera. Just  input the GPO GUID as a parameter but without any “{}” characters. Do not forget to import the GroupPolicy module.

Import-Module GroupPolicy;
if ($ObjGPOs -ne $Null) {
foreach($ObjGPO in $ObjGPOs)
    {      $guid = [System.Text.RegularExpressions.Regex]::Replace($ObjGPO.Name,"[{}]","")
    $pathtosavef = "C:\export\" +  (get-GPO -guid $guid).DisplayName + ".html"
    get-GPOReport -guid $guid -ReportType html -Path $pathtosavef

The above script exports the GPO reports to a file named %GPO_Name%.html in the c:\export folder. In order to make a script that works with the 65 (30 user configuration + 35 computer configuration) GPO settings corresponding to an identified GUID we just need to store this information in two tables, one for computer settings another for user settings. Just launch the search_GPO_2008.ps1 script, you can enter the -report input paramater in order to export the HTML reports in a specific folder.

In the example above we search for the GPOs which have a service configured with group policy preferences in the computer configuration of the GPO. Once the script is launched just input 2 then 20. If you do not use the -report input parameter, no reports will be exported, just information about GPO name, GUID and creation date are displayed. To download the search_GPO_2008.ps1 just click on the link below:

If you do not have RSAT and Active Directory 2008 here is a script for AD 2003 done with the Quest AD Cmdlets, there is no export report to HTML feature, because there is no (or not yet?) QAD-CmdLets for GPO management. Just download the search_GPO_2003.ps1 below:

It works the same as previous script but no input parameter -report is avalaible:

You can modify the search_GPO_2008.ps1 script in order to do other management tasks on the GPOs meeting your search critera, for example you can use the Backup-GPO CmdLet in order to backup the GPO in a particular folder…

This post is also available in: French

No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment


WordPress Themes

Blossom Icon Set

Software Top Blogs