• Chris Keim

How to Search all Group Policies for Specific Settings via Powershell (Get-GPOSetting)

Do you need to search all of your group policies to find a setting and do not want to spend a lot of time clicking around? Well, I did. I needed the ability to search either a few or hundreds of group policies to document specific settings. I could do this manually, and if there are only a few group policies that might be fine. But, I needed to search a lot of group policies for numerous settings and I needed this process repeatable without much effort, so I created a script template.




The Get-GPOSetting function searches all group policies in the environment for a specific setting and displays all the group policies that have this setting enabled and the value of this setting. For demonstration purposes, this function searches for the user right add workstations to the domain. This function can be modified to find any configured setting.


PowerShell Script


First, I want to create an array to hold the results as well as export all group policies in XML format and hold them in an object to search

Next, I use ForEach to process each group policy report individually. I also need to convert each of the reports to an XML object.

Now, I need to get to the right area within the XML file. This is one of the places where you will want to modify if you want to find other settings.

If for example you wanted to search all group policies for the CachedLogonsCount setting, the above line would look like:

Or if you wanted to find all software deployed through group policy to a computer, the line would look like:

Now that have an array of group policy items in a variable, I need to find the setting and weed out any other data, so I find that the name is field is what I'm looking for (For other group policy data, this may be different. For instance, finding the setting CachedLogonsCount would look like $objGPOItem.KeyName. You just need to look at a sample group policy XML export to find the correct setting and may have to experiment a little.).

Once I weeded out $null values, I then search for the setting itself. In this case SeMachineAccountPrivilege. I validated this with a quick search on Microsoft's website after reviewing a sample XML group policy export file.

Once I find the setting if enabled in the group policy, I then create an array object and place some information I want. In this case I want the group policy name, the setting that I'm searching for, the SIDs and associated name. Once I have this in an array object, I then commit the array object to the array itself. For other data, these array objects registry key names and values, or paths to MSI files or scripts.

The function then continues through all the group policies in the domain, then when done displays the array as the result.

Have fun!

22 views0 comments