{"id":4202,"date":"2013-02-07T00:01:00","date_gmt":"2013-02-07T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/02\/07\/use-powershell-to-generate-and-parse-a-group-policy-object-report\/"},"modified":"2013-02-07T00:01:00","modified_gmt":"2013-02-07T00:01:00","slug":"use-powershell-to-generate-and-parse-a-group-policy-object-report","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-generate-and-parse-a-group-policy-object-report\/","title":{"rendered":"Use PowerShell to Generate and Parse a Group Policy Object Report"},"content":{"rendered":"

Summary:<\/strong> Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to generate and parse a Group Policy Object report.<\/span><\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. So, I am working on my MCSE: Server Infrastructure certification and having passed the Installing and Configuring Windows Server 2012 exam (70-410), I am now studying for the Administering Windows Server 2012 exam (70-411). According to the 70-411 exam guidelines<\/a>, 15 to 20 percent of the exam is related to Configuring and Managing Group Policy.<\/p>\n

Note<\/strong>   I have been taking Microsoft Certification exams since my first MCSE (on Windows NT 3.51). The one big tip I can give you is to adhere to the Skills Being Measured (study guide). <\/em>If you see something on the list that you do not understand, look it up on TechNet, search the online Help, and actually perform the task. Luckily, now with Hyper-V, this is much easier. You can learn a lot by clicking through a wizard—much more than just looking at screenshots.<\/p>\n

Anyway, I am spending a lot of time here lately playing around with Group Policy.<\/p>\n

Generating a RSOP report<\/h2>\n

Nearly everyone who has spent any time as a network administrator, or even a Help desk person, has run into situations that demand analyzing Resultant Set of Policy (RSoP). The dreaded situation arises where it seems settings are not being applied that should be applied or settings are applied that should not be applied. The standard tool for troubleshooting this is the GPRESULT command. The syntax of this command always seems a bit confusing, but eventually, I come up with a command that works. This command is shown here.<\/p>\n

gpresult \/r<\/p>\n

Outputting the RSoP report to the Windows PowerShell console does not make for a great troubleshooting experience—everything goes to the console, and this results in a lot of scrolling up and down. This is shown here.<\/p>\n

\"Image<\/a><\/p>\n

One thing that can be done to improve this experience is to output the report to Out-GridView<\/strong>. This is shown here.<\/p>\n

gpresult \/r | Out-GridView<\/p>\n

Even though the output is just plain text, it does not preclude using the Out-GridView<\/strong> cmdlet to parse the results.<\/p>\n

By typing in the filter box on top of the GridView<\/strong> pane, I can filter the text that appears in the bottom. This is a good way to bring some measure of control to the output.<\/p>\n

\"Image<\/a><\/p>\n

XML is a better way to filter the output<\/h2>\n

By using the Windows PowerShell cmdlet Get-GPOReport<\/strong> (from the GroupPolicy module from the RSAT tools), I can gain a bit of flexibility as I dive into a specific Group Policy Object. The Get-GPOReport<\/strong> cmdlet will produce two different types of reports—HTML or XML. The cmdlet also has a –path<\/strong> parameter that I use to specify the path for storing the report. Therefore, to produce a report about the BackupOnLogOff GPO that exists in my domain, I use the following syntax:<\/p>\n

Get-GPOReport -Name backuponlogoff -ReportType html -Path c:\\fso\\backup.html<\/p>\n

I can open the produced report in Internet Explorer. The report is shown here.<\/p>\n

\"Image<\/a><\/p>\n

Of course, generating a report to an HTML file does not help me too much—in fact, it is not much different than writing the output to the Out-GridView<\/strong> cmdlet.<\/p>\n

However, if I do not specify a path, the output returns to the console. Now, obviously, I do not want to write HTML to the Windows PowerShell console; in fact, I do not even want to write XML to the Windows PowerShell console, but what if I store the results in a variable and cast the variable to an XML document? Hmm … might that work?<\/p>\n

Well, as a matter of a fact, it does. Here is the command I use to get a GPO report in XML and store it in a variable as an XMLDocument object.<\/p>\n

[xml]$xml = Get-GPOReport -Name backuponlogoff -ReportType xml<\/p>\n

Note<\/strong>   Keep in mind when exploring the XML document that tab expansion works, and so there is actually very little typing required.<\/p>\n

The main property I like to begin with is the DocumentElement<\/strong>. From this property, I see several objects I can explore. This is shown here.<\/p>\n

13:01 C:\\> $xml.DocumentElement<\/p>\n

xsd                 : http:\/\/www.w3.org\/2001\/XMLSchema<\/p>\n

xsi                 : http:\/\/www.w3.org\/2001\/XMLSchema-instance<\/p>\n

xmlns               : http:\/\/www.microsoft.com\/GroupPolicy\/Settings<\/p>\n

Identifier          : Identifier<\/p>\n

Name                : BackupOnLogOff<\/p>\n

IncludeComments     : true<\/p>\n

CreatedTime         : 2012-02-22T19:19:53<\/p>\n

ModifiedTime        : 2012-02-22T19:19:53<\/p>\n

ReadTime            : 2013-02-05T18:01:33.4004324Z<\/p>\n

SecurityDescriptor  : SecurityDescriptor<\/p>\n

FilterDataAvailable : true<\/p>\n

Computer            : Computer<\/p>\n

User                : User<\/p>\n

LinksTo             : LinksTo<\/p>\n

To see if the GPO is enabled on the Computer or on the User portion, I examine the enabled property from those objects, as shown here.<\/p>\n

13:01 C:\\> $xml.DocumentElement.Computer<\/p>\n

VersionDirectory             VersionSysvol               Enabled<\/p>\n

—————-             ————-               ——-<\/p>\n

0                            0                           true<\/p>\n

The following image shows the commands and the associated output used to obtain the XML report and to parse it.<\/p>\n

\"Image<\/a><\/p>\n

If I want to see the owner, I navigate through the SecurityDescriptor<\/strong> object, as shown here.<\/p>\n

13:01 C:\\> $xml.DocumentElement.SecurityDescriptor.Owner<\/p>\n

xmlns                        SID                         Name<\/p>\n

—–                        —                         —-<\/p>\n

http:\/\/www.microsoft.com\/… SID                         Name<\/p>\n

 <\/p>\n

13:01 C:\\> $xml.DocumentElement.SecurityDescriptor.Owner.Name<\/p>\n

xmlns                                      #text<\/p>\n

—–                                      —–<\/p>\n

http:\/\/www.microsoft.com\/GroupPolicy\/Types IAMMRED\\Domain Admins<\/p>\n

I can also easily see where the GPO links by examining the LinksTo<\/strong> object, as shown here.<\/p>\n

13:02 C:\\> $xml.DocumentElement.LinksTo<\/p>\n

SOMName               SOMPath              Enabled              NoOverride<\/p>\n

——-               ——-              ——-              ———-<\/p>\n

Charlotte             iammred.net\/Charl… true                 false<\/p>\n

Well, that is about it for looking at a GPO report in XML. Join me tomorrow when I will talk about more cool Group Policy stuff.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/strong> <\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to generate and parse a Group Policy Object report. Microsoft Scripting Guy, Ed Wilson, is here. So, I am working on my MCSE: Server Infrastructure certification and having passed the Installing and Configuring Windows Server 2012 exam (70-410), I am now studying for the […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[152,402,3,45],"class_list":["post-4202","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-group-policy","tag-mcse","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to generate and parse a Group Policy Object report. Microsoft Scripting Guy, Ed Wilson, is here. So, I am working on my MCSE: Server Infrastructure certification and having passed the Installing and Configuring Windows Server 2012 exam (70-410), I am now studying for the […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/4202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=4202"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/4202\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=4202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=4202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=4202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}