{"id":17751,"date":"2010-07-15T00:01:00","date_gmt":"2010-07-15T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2010\/07\/15\/hey-scripting-guy-how-can-i-connect-two-group-policy-objects-in-active-directory-and-compare-them-offline-part-1\/"},"modified":"2010-07-15T00:01:00","modified_gmt":"2010-07-15T00:01:00","slug":"hey-scripting-guy-how-can-i-connect-two-group-policy-objects-in-active-directory-and-compare-them-offline-part-1","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-connect-two-group-policy-objects-in-active-directory-and-compare-them-offline-part-1\/","title":{"rendered":"Hey, Scripting Guy! How Can I Connect Two Group Policy Objects in Active Directory and Compare Them Offline? (Part 1)"},"content":{"rendered":"

 <\/p>\n

\"Hey,<\/p>\n

Hey, Scripting Guy! I need to be able to connect to two Group Policy<\/a> objects (GPOs) in Active Directory<\/a> and make an offline copy of the GPOs using Windows PowerShell 2.0<\/a> so that I can compare the two objects. I know I can do this using the Group Policy Management Console, but I have several hundred GPOs in my domain and I do not have the time to go through the GUI and click-click-click. I would prefer to be able to script this operation using Windows PowerShell, if possible. Ideas?<\/p>\n

— SV<\/p>\n

 <\/p>\n

\"Hey,<\/p>\n

Hello SV, <\/p>\n

Microsoft Scripting Guy Ed Wilson here. One of the cool things about Windows PowerShell is that when one thing does not work, often a different approach can be taken that will work. Such was my experience this week while trying to answer your question. There are many graphical tools available that will allow you to compare two XML files. One such tool is XML Notepad<\/a>, which is free from Microsoft. But there are relatively few programmatic tools one can use. When searching MSDN, I came across a really old package called the XML Diff and Patch Tool<\/a> that looks like it might be fun. The problem is that, when attempting to install it on Windows 7<\/a>, it complains the .NET Framework 1.1<\/a> is not installed; I did not feel like downloading, installing, and patching a six-year-old version of the .NET Framework. <\/p>\n

\n

Note<\/strong>: This is part one of a two-part article. Part two will be posted tomorrow.<\/p>\n<\/blockquote>\n

I then began to look at Language-Integrated Query<\/a> (LINQ<\/a>) and LINQ to XML<\/a>. LINQ builds data query language capabilities directly into the programing language (such as C#<\/a> or VB.Net<\/a>) and therefore it makes data query as easy as querying<\/a> a WMI<\/a> class in Windows PowerShell 2.0. While there are a number of LINQ .NET Framework classes that can be used in Windows PowerShell 2.0 in the System.XML.LINQ<\/a> .NET Framework namespace, the ability to use or to create a LINQ query does not appear. I guess I could have used the Add-Type<\/strong> trick and executed native C# code, but SV, I did not want to do that for your script if I could avoid it. In the end, I decided to use Windows PowerShell directly to perform this operation. <\/p>\n

SV, you can download all of the GPOs in your domain in a single command directly from the Windows PowerShell console. You will need to first import the Group Policy module<\/a>. Then you can run your command as shown here: <\/p>\n

 <\/p>\n

PS<\/span> <\/span>C:\\><\/span> <\/span>Import-Module<\/span> <\/span>group<\/span>*<\/span> <\/p>\n

<\/span>PS<\/span> <\/span>C:\\><\/span> <\/span>Get-GPOReport<\/span> <\/span>-All<\/span> <\/span>-Path<\/span> <\/span>c:\\fso\\allgporeport.xml<\/span> <\/span>-ReportType<\/span> <\/span>xml<\/span> <\/p>\n

<\/span>PS<\/span> <\/span>C:\\><\/span>
<\/span><\/div>\n

After the Group Policy report has been saved, it can be opened in XML Notepad and viewed, as shown in the following image.<\/p>\n

\"Image <\/a><\/p>\n

SV, because you stated you wished to create offline representations of all your GPOs so that you would be able to more easily compare them to each other, I decided to create a small script to perform this operation. (The command could also be typed on a single line in the Windows PowerShell console. In fact, this is the way I developed the “script.”) The Get-XMLForEachGPO.ps1 script<\/a> is shown just below. It begins by getting a list of all the GPOs in the domain, using the Get-GPO<\/strong> cmdlet. The returned objects are all instances of the Microsoft.Grouppolicy.Gpo .NET Framework class<\/a>. The Microsoft.GroupPolicy namespace<\/a> contains a number of really cool classes that can be used from within Windows PowerShell scripts. The ForEach-Object cmdlet<\/a> cmdlet is used in the pipeline<\/a> to allow you to work with each GPO. The Join-Path<\/strong> cmdlet is used to create the path to store the outputted XML report. Inside the pipeline, the Get-GPOReport<\/strong> cmdlet obtains the XML report for each<\/a> of the GPO objects. The Get-XMLForEachGPO.ps1 script is shown here. <\/p>\n

Get-XMLForEachGPO.ps1<\/strong><\/p>\n

<\/strong><\/p>\n

$path<\/span> <\/span>=<\/span> “c:\\fso” <\/p>\n

<\/span>get-gpo<\/span> <\/span>-All<\/span> <\/span>|<\/span>  <\/p>\n

<\/span>ForEach-Object<\/span> <\/span>{<\/span>  <\/p>\n

<\/span>Get-GPOReport<\/span> <\/span>-Name<\/span> <\/span>$_<\/span>.displayname<\/span> <\/span>-ReportType<\/span> <\/span>xml<\/span> <\/span>`<\/span> <\/p>\n

<\/span>-Path<\/span> <\/span>(<\/span>join-path<\/span> <\/span>-Path<\/span> <\/span>$path<\/span> <\/span>-ChildPath<\/span> “$($_.displayname).xml”<\/span>)<\/span> <\/span>}<\/span> <\/div>\n

 <\/p>\n

The Compare-GPO.ps1 script begins by creating several command-line parameters. The first is the domain name and the second is the server that you wish to contact in order to retrieve the GPOs. The $gponame<\/strong> variable holds a single string that contains the name of the two GPOs you wish to compare. As shown here, a comma separates the GPO names:<\/p>\n

[string]<\/span>$gponame<\/span> <\/span>=<\/span> “aTestOuGPO,AnotherTestOuGPO”<\/span> <\/p>\n

The GPO name you use is the one shown in the Group Policy Management Console in the following image.<\/p>\n

\"Image<\/a> <\/p>\n

The folder parameter holds the destination for the GPOs. Two switched parameters, $computer<\/strong> and $user<\/strong>, are used to compare either the computer portion, the user portion, or both portions of the GPO. The command-line parameters are shown here:<\/p>\n

 <\/p>\n

Param(<\/span> <\/p>\n

<\/span>[string]<\/span>$domain<\/span> <\/span>=<\/span>“nwtraders.com”<\/span>,<\/span> <\/p>\n

<\/span>[string]<\/span>$server<\/span> <\/span>=<\/span> “dc1.nwtraders.com”<\/span>,<\/span> <\/p>\n

<\/span>[string]<\/span>$gponame<\/span> <\/span>=<\/span> “aTestOuGPO,AnotherTestOuGPO”<\/span>,<\/span> <\/p>\n

<\/span>[string]<\/span>$folder<\/span> <\/span>=<\/span> “c:\\fso”<\/span>,<\/span> <\/p>\n

<\/span>[switch]<\/span>$user<\/span>,<\/span> <\/p>\n

<\/span>[switch]<\/span>$computer<\/span> <\/p>\n

<\/span>)<\/span> <\/div>\n

 <\/p>\n

The first function that is added to the script is the Get-MyModule<\/strong> function that was discussed in a Weekend Scripter<\/a> article called Checking for Module Dependencies in Windows PowerShell<\/a>. The use of the Get-MyModule<\/strong> function to check for the GroupPolicy<\/strong> module is discussed in the Hey, Scripting Guy! Blog post, Can You Get Me Going on Windows PowerShell Cmdlets for Group Policy?<\/a> The Get-MyModule<\/strong> function will therefore not be discussed here:<\/p>\n

 <\/p>\n

Function<\/span> <\/span>Get-MyModule<\/span> <\/p>\n

<\/span>{<\/span> <\/p>\n

<\/span>Param([string]<\/span>$name<\/span>)<\/span> <\/p>\n

<\/span>if<\/span>(<\/span>-not<\/span>(Get-Module<\/span> <\/span>-name<\/span> <\/span>$name<\/span>))<\/span>  <\/p>\n

<\/span>{<\/span>  <\/p>\n

<\/span>if<\/span>(Get-Module<\/span> <\/span>-ListAvailable<\/span> <\/span>|<\/span>  <\/p>\n

<\/span>Where-Object<\/span> <\/span>{<\/span> <\/span>$_<\/span>.name<\/span> <\/span>-eq<\/span> <\/span>$name<\/span> <\/span>})<\/span> <\/p>\n

<\/span>{<\/span>  <\/p>\n

<\/span>Import-Module<\/span> <\/span>-Name<\/span> <\/span>$name<\/span>  <\/p>\n

<\/span>$true<\/span> <\/p>\n

<\/span>}<\/span> <\/span>#<\/span>end<\/span> <\/span>if<\/span> <\/span>module<\/span> <\/span>available<\/span> <\/span>then<\/span> <\/span>import<\/span> <\/p>\n

<\/span>else<\/span> <\/span>{<\/span> <\/span>$false<\/span> <\/span>}<\/span> <\/span>#<\/span>module<\/span> <\/span>not<\/span> <\/span>available<\/span> <\/p>\n

<\/span>}<\/span> <\/span>#<\/span> <\/span>end<\/span> <\/span>if<\/span> <\/span>not<\/span> <\/span>module<\/span> <\/p>\n

<\/span>else<\/span> <\/span>{<\/span> <\/span>$true<\/span> <\/span>}<\/span> <\/span>#<\/span>module<\/span> <\/span>already<\/span> <\/span>loaded<\/span> <\/p>\n

<\/span>}<\/span> <\/span>#<\/span>end<\/span> <\/span>function<\/span> <\/span>get-MyModule<\/span>
<\/span><\/div>\n

You can modify the Get-XMLForEachGPO.ps1 script seen earlier to retrieve an XML report for the two specified GPOs, or you can use the Get-GPOAsXML<\/strong> function. The reason for the Get-GPOAsXML<\/strong> function is that it offers more flexibility than the Get-XMLForEachGPO.ps1 script. The Get-GPOAsXML<\/strong> function begins by defining the $gponame<\/strong> variable as an array of strings. When the script is called, the $gponame<\/strong> variable at the script level is a single string and is therefore not an array. However, when the Get-GPOAsXML<\/strong> function is called, the single string is split and therefore it becomes an array. The domain, server, and folder variables are the same as the ones from the beginning of the script. The Param<\/strong> section of the function is shown here:<\/p>\n

 <\/p>\n

Function<\/span> <\/span>Get-GPOAsXML<\/span> <\/p>\n

<\/span>{<\/span> <\/p>\n

<\/span>Param(<\/span> <\/p>\n

<\/span>[string[]]<\/span>$gponame<\/span>,<\/span> <\/p>\n

<\/span>[string]<\/span>$domain<\/span>,<\/span> <\/p>\n

<\/span>[string]<\/span>$server<\/span>,<\/span> <\/p>\n

<\/span>[string]<\/span>$folder<\/span> <\/p>\n

<\/span>)<\/span> <\/div>\n

 <\/p>\n

The $gpoReports<\/strong> variable is initialized and set to $null<\/strong>, and the ForEach<\/strong> statement is used to walk through the GPOs in the $gpoName<\/strong> variable, as shown here:<\/p>\n

 <\/p>\n

$gpoReports<\/span> <\/span>=<\/span> <\/span>$null<\/span> <\/p>\n

<\/span>ForEach<\/span>(<\/span>$gpo<\/span> <\/span>in<\/span> <\/span>$gpoName<\/span>)<\/span> <\/p>\n

<\/span>{<\/span> <\/div>\n

 <\/p>\n

Next, the Join-Path<\/strong> cmdlet is used to create a path to store the XML GPO report. The $gpo<\/strong> variable holds the name of the GPO that is currently being processed, and because an expanding string is used, the value in the $gpo<\/strong> variable will substitute for the variable itself to create a complete path. This is shown here:<\/p>\n

 <\/p>\n

$path<\/span> <\/span>=<\/span> <\/span>Join-Path<\/span> <\/span>-Path<\/span> <\/span>$folder<\/span> <\/span>-ChildPath<\/span> “$gpo.xml”<\/span> <\/div>\n

 <\/p>\n

(Get-GPO<\/span> <\/span>-Name<\/span> <\/span>$gpo<\/span> <\/span>-Domain<\/span> <\/span>$domain<\/span> <\/span>-Server<\/span> <\/span>$server<\/span>).`<\/span> <\/p>\n

<\/span>GenerateReportToFile(<\/span>“xml”<\/span>,<\/span>$path<\/span>)<\/span> <\/div>\n

 <\/p>\n

An array of paths to the GPO reports is created and the array is passed back to the calling code. This is shown here: <\/p>\n

 <\/p>\n

[array]<\/span>$gpoReports<\/span> <\/span>+<\/span> <\/span>$path<\/span> <\/p>\n

<\/span>}<\/span> <\/p>\n

<\/span>Return<\/span> <\/span>$gpoReports<\/span> <\/p>\n

<\/span>}<\/span> <\/span>#<\/span>end<\/span> <\/span>get-gpoasxml<\/span> <\/div>\n

 <\/p>\n

 <\/p>\n

SV, that is all there is to using Windows PowerShell to retrieve an XML representation of a Group Policy object. Group Policy Week will continue tomorrow when we will continue with the Compare-GPO.ps1 script and compare the two XML files. <\/p>\n

We would love for you to follow us on Twitter<\/a> or Facebook<\/a>. If you have any questions, send email to us at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum.<\/a> See you tomorrow. Until then, peace.<\/p>\n

 <\/p>\n

Ed Wilson and Craig Liebendorfer, Scripting Guys<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

  Hey, Scripting Guy! I need to be able to connect to two Group Policy objects (GPOs) in Active Directory and make an offline copy of the GPOs using Windows PowerShell 2.0 so that I can compare the two objects. I know I can do this using the Group Policy Management Console, but I have […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[152,3,45],"class_list":["post-17751","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-group-policy","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"

  Hey, Scripting Guy! I need to be able to connect to two Group Policy objects (GPOs) in Active Directory and make an offline copy of the GPOs using Windows PowerShell 2.0 so that I can compare the two objects. I know I can do this using the Group Policy Management Console, but I have […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/17751","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=17751"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/17751\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=17751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=17751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=17751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Next the Get-GPO<\/strong> cmdlet is used to retrieve an instance of the Microsoft.GroupPolicy.Gpo<\/strong> class. The GenerateReportToFile method of the GPO class<\/a> is used to create the XML report:<\/p>\n

SV, I wrote a rather long script called Compare-GPO.ps1. I will talk about the first half of the script today and the second half of the script tomorrow. Because the complete script is so long (around 125 lines), I decided to upload it to the Scripting Guys Script Repository<\/a>. <\/p>\n