Microsoft’s official Group Policy blog
I mentioned this in the last post, here are some more examples. To download the script, check the 'Attachments' link by clicking on this post's title and then scrolling to the bottom. Quick refresher:
This script’s usage is as follows:
SearchGPOsForSetting.ps1 [–IsComputerConfiguration] <Boolean> [-Extension] <String> [-Where] <String> [-Is] <String> [[-Return] <String>] [[-DomainName] <String>]
[-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningAction <ActionPreference>] [-ErrorVariable <String>] [-WarningVariable <String>] [-OutVariable <String>] [-OutBuffer <Int32>]
Notes: In order to get all the inputs correct you may have to open up the XML once of a GPO that has the setting you want to search for. DomainName is an optional parameter (if you do not specify a domain, it will use the domain of the current context).
Let’s look at some more examples!
Example 3: Are there any logon scripts?
If you just want to find the GPOs in your domain that have a specific logon script, you can omit the -Return parameter
<ExtensionData>
<Extension xmlns:q5="http://www.microsoft.com/GroupPolicy/Settings/Scripts" xsi:type="q5:Scripts">
<q5:Script>
<q5:Command>\\myserver\myshare\myLogonScript.ps1</q5:Command>
<q5:Type>Logon</q5:Type>
<q5:Order>0</q5:Order>
<q5:RunOrder>PSNotConfigured</q5:RunOrder>
</q5:Script>
</Extension>
<Name>Scripts</Name>
</ExtensionData>
PS C:\share> .\SearchGPOsForSetting.ps1 -IsComputerConfiguration $false -Extension Scripts -Where Command -Is \\myserver\myshare\myLogonScript.ps1
The Gpo 'simpleGpo' has a Scripts setting where 'Command' is equal to '\\myserver\myshare\myLogonScript.ps1'
Example 4: Group Policy Preferences
If I wanted to see all my URL shortcuts in User policy:
<Extension xmlns:q5="http://www.microsoft.com/GroupPolicy/Settings/Shortcuts" xsi:type="q5:ShortcutSettings">
<q5:ShortcutSettings clsid="{872ECB34-B2EC-401b-A585-D32574AA90EE}">
<q5:Shortcut clsid="{4F2F7C55-2790-433e-8127-0739D1CFA327}" userContext="1" name="MS" status="MS" image="0" changed="2009-04-10 21:39:08" uid="{8D545947-9080-446D-A5C8-8E447407C7AF}">
<q5:GPOSettingOrder>1</q5:GPOSettingOrder>
<q5:Properties pidl="" targetType="URL" action="C" comment="" shortcutKey="0" startIn="" arguments="" iconIndex="13" targetPath="http://www.microsoft.com/" iconPath="%SystemRoot%\system32\SHELL32.dll" window="" shortcutPath="%DesktopDir%\MS" />
<q5:Filters />
</q5:Shortcut>
</q5:ShortcutSettings>
<Name>Shortcuts</Name>
PS C:\share> .\SearchGPOsForSetting.ps1 -IsComputerConfiguration $false -Extension Shortcuts -Where targetType -Is URL -Return targetPath
The Gpo 'simpleGpo' has a Shortcuts setting where 'targetType' is equal to 'URL' and the value of its 'targetPath' property is: 'http://live.com'
The Gpo 'gpoB' has a Shortcuts setting where 'targetType' is equal to 'URL' and the value of its 'targetPath' property is: 'http://www.microsoft.com'
The Gpo 'gpoA' has a Shortcuts setting where 'targetType' is equal to 'URL' and the value of its 'targetPath' property is: 'http://www.msdn.com'
Example 5: Find all the open firewall ports
<Extension xmlns:q2="http://www.microsoft.com/GroupPolicy/Settings/WindowsFirewall" xsi:type="q2:WindowsFirewallSettings">
<q2:GlobalSettings>
<q2:PolicyVersion>
<q2:Value>522</q2:Value>
</q2:PolicyVersion>
</q2:GlobalSettings>
<q2:InboundFirewallRules>
<q2:Version>2.10</q2:Version>
<q2:Action>Allow</q2:Action>
<q2:Name>open port 448</q2:Name>
<q2:Dir>In</q2:Dir>
<q2:LPort>448</q2:LPort>
<q2:Protocol>6</q2:Protocol>
<q2:Active>true</q2:Active>
</q2:InboundFirewallRules>
<Name>Windows Firewall</Name>
PS C:\share> .\SearchGPOsForSetting.ps1 -IsComputerConfiguration $true -Extension WindowsFireWall -Where Action -Is Allow -Return LPort
The Gpo 'gpoA' has a WindowsFireWall setting where 'Action' is equal to 'Allow' and the value of its 'LPort' property is: '448'
The Gpo 'gpoB' has a WindowsFireWall setting where 'Action' is equal to 'Allow' and the value of its 'LPort' property is: '80'
Note: Under the hood I am using XPath and XmlNamespaceManager, to find the xml for the Specific extension you passed in and then I perform a recursive search of the xml underneath that for the Property you specified with $Where that has the value you specified with $Is. Then, once it finds that, if you specified a $Return parameter it will search for that property to return the value it has.
I hope you enjoy working with this script. Let me know what other interesting and compelling scenarios you use this for in the comment section. Also, if you re-work it to fit your own need, post it back here and explain what you did and why.
Can't wait to see what you come up with,
Lindsay Harris, Group Policy Software Developer
The Power Shell works nice with GPOs, but what about Power Shell and the Advanced Group Policy Management.
How can I married them together?
Regards,
Kazimierz Popinski
Hey Kazimierz - Thanks for asking. AGPM does not have any PowerShell work planned for the next release.
What sort of cmdlets would you be interested in seeing available for AGPM?
LiliaG, Group Policy PM
Want to see what firewall ports you’ve configured on every GPO in your domain in under 10 seconds? Want