Performancing Metrics

Check a setting in all GPO's continued (scripts, firewall, GP Preferences and more) - Group Policy Team Blog - Site Home - TechNet Blogs

Check a setting in all GPO's continued (scripts, firewall, GP Preferences and more)

Check a setting in all GPO's continued (scripts, firewall, GP Preferences and more)

  • Comments 3
  • Likes

 I mentioned this in the last post, here are some more examples.  To download the script, check the 'Attachments' link by clicking on this post's title and then scrolling to the bottom. Quick refresher:

 

This script’s usage is as follows:

 

SearchGPOsForSetting.ps1 [–IsComputerConfiguration] <Boolean> [-Extension] <String> [-Where] <String> [-Is] <String> [[-Return] <String>] [[-DomainName] <String>]

[-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningAction <ActionPreference>] [-ErrorVariable <String>] [-WarningVariable <String>] [-OutVariable <String>] [-OutBuffer <Int32>]

 

Notes: In order to get all the inputs correct you may have to open up the XML once of a GPO that has the setting you want to search for.  DomainName is an optional parameter (if you do not specify a domain, it will use the domain of the current context).

 

 

Lets look at some more examples!

 

 

Example 3: Are there any logon scripts?

 

If you just want to find the GPOs in your domain that have a specific logon script, you can omit the -Return parameter

     

clip_image006

 

<ExtensionData>

<Extension xmlns:q5="http://www.microsoft.com/GroupPolicy/Settings/Scripts" xsi:type="q5:Scripts">

<q5:Script>

            <q5:Command>\\myserver\myshare\myLogonScript.ps1</q5:Command>

            <q5:Type>Logon</q5:Type>

            <q5:Order>0</q5:Order>

            <q5:RunOrder>PSNotConfigured</q5:RunOrder>

</q5:Script>

</Extension>

<Name>Scripts</Name>

        </ExtensionData>

 

              

    PS C:\share> .\SearchGPOsForSetting.ps1 -IsComputerConfiguration $false -Extension Scripts -Where Command -Is \\myserver\myshare\myLogonScript.ps1

 

  The Gpo 'simpleGpo' has a Scripts setting where 'Command' is equal to '\\myserver\myshare\myLogonScript.ps1'

 

 

Example 4:  Group Policy Preferences

 

clip_image008 

 

               

If I wanted to see all my URL shortcuts in User policy:

 

<ExtensionData>

<Extension xmlns:q5="http://www.microsoft.com/GroupPolicy/Settings/Shortcuts" xsi:type="q5:ShortcutSettings">

<q5:ShortcutSettings clsid="{872ECB34-B2EC-401b-A585-D32574AA90EE}">

<q5:Shortcut clsid="{4F2F7C55-2790-433e-8127-0739D1CFA327}" userContext="1" name="MS" status="MS" image="0" changed="2009-04-10 21:39:08" uid="{8D545947-9080-446D-A5C8-8E447407C7AF}">

<q5:GPOSettingOrder>1</q5:GPOSettingOrder>

<q5:Properties pidl="" targetType="URL" action="C" comment="" shortcutKey="0" startIn="" arguments="" iconIndex="13" targetPath="http://www.microsoft.com/" iconPath="%SystemRoot%\system32\SHELL32.dll" window="" shortcutPath="%DesktopDir%\MS" />

<q5:Filters />

</q5:Shortcut>

</q5:ShortcutSettings>

</Extension>

<Name>Shortcuts</Name>

</ExtensionData>

 

 

PS C:\share> .\SearchGPOsForSetting.ps1 -IsComputerConfiguration $false -Extension Shortcuts -Where targetType -Is URL -Return targetPath

 

The Gpo 'simpleGpo' has a Shortcuts setting where 'targetType' is equal to 'URL' and the value of its 'targetPath' property is: 'http://live.com'

The Gpo 'gpoB' has a Shortcuts setting where 'targetType' is equal to 'URL' and the value of its 'targetPath' property is: 'http://www.microsoft.com'

The Gpo 'gpoA' has a Shortcuts setting where 'targetType' is equal to 'URL' and the value of its 'targetPath' property is: 'http://www.msdn.com'

 

 

 

 

Example 5:  Find all the open firewall ports

               

<ExtensionData>

<Extension xmlns:q2="http://www.microsoft.com/GroupPolicy/Settings/WindowsFirewall" xsi:type="q2:WindowsFirewallSettings">

<q2:GlobalSettings>

<q2:PolicyVersion>

<q2:Value>522</q2:Value>

</q2:PolicyVersion>

</q2:GlobalSettings>

<q2:InboundFirewallRules>

<q2:Version>2.10</q2:Version>

<q2:Action>Allow</q2:Action>

<q2:Name>open port 448</q2:Name>

<q2:Dir>In</q2:Dir>

<q2:LPort>448</q2:LPort>

<q2:Protocol>6</q2:Protocol>

<q2:Active>true</q2:Active>

</q2:InboundFirewallRules>

</Extension>

<Name>Windows Firewall</Name>

</ExtensionData>

 

    

PS C:\share> .\SearchGPOsForSetting.ps1 -IsComputerConfiguration $true -Extension WindowsFireWall -Where Action -Is Allow -Return LPort

 

The Gpo 'gpoA' has a WindowsFireWall setting where 'Action' is equal to 'Allow' and the value of its 'LPort' property is: '448'

The Gpo 'gpoB' has a WindowsFireWall setting where 'Action' is equal to 'Allow' and the value of its 'LPort' property is: '80'

 

 

 Note: Under the hood I am using XPath and XmlNamespaceManager, to find the xml for the Specific extension you passed in and then I perform a recursive search of the xml underneath that for the Property you specified with $Where that has the value you specified with $Is.  Then, once it finds that, if you specified a $Return parameter it will search for that property to return the value it has. 

 

I hope you enjoy working with this script. Let me know what other interesting and compelling scenarios you use this for in the comment section. Also, if you re-work it to fit your own need, post it back here and explain what you did and why. 

 

Can't wait to see what you come up with, 

 Lindsay Harris, Group Policy Software Developer

Attachment: SearchGPOsForSetting.ps1
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • The Power Shell works nice with GPOs, but what about Power Shell and the Advanced Group Policy Management.

    How can I married them together?

    Regards,

    Kazimierz Popinski

  • Hey Kazimierz - Thanks for asking. AGPM does not have any PowerShell work planned for the next release.

    What sort of cmdlets would you be interested in seeing available for AGPM?

    LiliaG, Group Policy PM

  • Want to see what firewall ports you’ve configured on every GPO in your domain in under 10 seconds? Want