Using PowerShell to Export GPOs to Create a Fancy GPO Report

choubertsprojects

VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

This blog will show you how to use PowerShell and the Group Policy module in Windows 10 to create a fancy GPO report. With this tool, users can view all of their group policy objects at once, with information like which computers have logged into them or what sites they’ve visited.

The “powershell export gpo settings to csv” is a PowerShell script that exports all of the GPO settings in your domain to a CSV file. This can be used to create a fancy GPO report.

Using PowerShell to Export GPOs to Create a Fancy GPO Report

Have you ever questioned what’s going on at your workplace when it comes to group policy? You may have a large number of group policy items (GPOs). Keeping track of all the changes made to your Active Directory (AD) domain may be difficult! PowerShell can export GPOs and generate some fancy reports, which is great news!

With Specops’ 100% free Password Auditor Pro, you can find, report, and prevent unsafe Active Directory account passwords in your environment. Now is the time to get it!

The Get-GpoReport cmdlet creates GPO reports, ranging from basic text-based reports to full-fledged HTML reports. You may save time and receive crucial insights into what’s going on in your AD infrastructure by automating this report-generation process using PowerShell.

In this article, you’ll learn how to import the GPO module into PowerShell, export GPOs from PowerShell, and connect GPOs to an OU as an example, all of which will eventually lead to some fantastic reports!

The GUI Approach Isn’t Enough

We’ve had the Group Policy Management Console for a long time (GPMC). This program is included in the Remote Server Administration Tools (RSAT) package and is deployed by default on all domain controllers.

The GPMC allows you to double-check each policy setting as well as how the policies may affect customers. Consider the GPMC a stand-alone GPO management station for establishing, amending, and deleting GPOs.

The primary tool for modifying GPOs is still GPMC. However, improved reporting, troubleshooting, and automation tools are required.

Then there’s the Group Policy PowerShell module’s Get-GpoReport cmdlet, which utilizes PowerShell to export GPOs (part of the RSAT package). This cmdlet can now obtain the same information through PowerShell as the GPMC, enabling you to query several GPOs at once and create some excellent reports.

Prerequisites

You’ll be walking through different situations in this blog article. If you want to follow along with the examples, make sure you already have the following:

  • The PowerShell module for Group Policy. If you’re using Windows 10, you can find this by downloading and installing RSAT, or if you’re using Windows Server, you can use the PowerShell command Install-WindowsFeature -Name GPMC. This tutorial assumes you’ve previously installed the PowerShell GPO module.
  • You’re signed in to a computer that belongs to the same AD domain as the GPOs you’ll be querying.
  • You’re using a domain user account with GPO reading permissions on an AD-joined PC. You’ll probably notice the error message below if you’re signed in using a local account.

An Active Directory domain or forest error message is not related with the current security context.An Active Directory domain or forest error message is not related with the current security context.

  • You have Internet Explorer (IE) installed on your computer. Unfortunately, the HTML reports generated by Get-GPOReport include ActiveX components, thus you’ll require Internet Explorer to show/collapse certain elements of the reports.

Using Internet Explorer to see HTML reportsUsing Internet Explorer to see HTML reports

Using different browsers to see HTML reportsUsing different browsers to see HTML reports

Making HTML Reports with a Single GPO

Let’s imagine you have a single GPO that you’d want to examine the settings for (and generate an HTML report from). To do so, you’ll need either the GPO’s name or the GPO’s GUID. Fortunately, Get-GpoReport can locate a GPO on either and export it using PowerShell.

You’ll need at least three parameters to create a basic HTML report:

  • To locate the GPO, use the Guid or Name.
  • ReportType is used to indicate the kind of report that will be generated (HTML or XML)
  • Specify a path for the HTML report to be stored to.

In your environment, you could have a GPO named AppLocker Publisher Block Rules (EXE). If you know the GPO’s name, as in this example, you can simply provide it in the Name parameter, along with a ReportType of HTML for an HTML (not XML) report and the directory to store the HTML file.

The following example searches the domain for the AppLocker Publisher Block Rules (EXE) GPO, then creates an HTML report and saves it to C:TempAppL-Report.html.

Get-GPOReport -Name “AppLocker Publisher Block Rules (EXE)” Get-GPOReport -Name “AppLocker Publisher Block Rules (EXE)” Get-GPOReport -Name -Path ‘C:TempAppL-Report.html’ -ReportType ‘HTML’

You could also use the Guid argument to locate the GPO, but this would be an additional step in the example below.

Get-GPO -Name ‘AppLocker Publisher Block Rules (EXE)’ $guid = (Get-GPO -Name ‘AppLocker Publisher Block Rules (EXE)’ $guid = (Get-GPO -Name ‘ Get-GPOReport -Guid Id Get-GPOReport -Guid Id Get-GPOReport $guid -ReportType ‘HTML’ -Path ‘C:TempAppL-Report.html’ $guid -ReportType ‘HTML’ $guid -ReportType ‘HTML’ $guid -ReportType ‘HTML

You may examine the report after it’s been prepared by opening it in your preferred browser.

All GPOs: Creating HTML Reports

You could want to create a domain-wide report for GPOs. In such situation, you’ll need to use the All argument to query all GPOs in the domain.

The identical command to have PowerShell export GPOs and execute it is shown below, however instead of specifying a single GPO using the Name or Guid parameters, you use the All argument to discover them all.

Get-GPOReport -All -ReportType Html -Path “C:TempAll-GPOs.html” Get-GPOReport -All -ReportType Html -Path “C:TempAll-GPOs.html”

When invoked in an AD system, the Get-GPOReport cmdlet reads GPOs from a domain controller (DC) specified by the Server option. If no Server is specified, the PDC Emulator role will be assigned to the DC with the PDC Emulator role.

Exporting GPOs using PowerShell: XML

After you’ve added the GPO module to PowerShell, you can use Get-GPOReport to do more than simply export GPOs and produce HTML reports. You may also generate XML reports. If you want to produce an XML report for a certain GPO, for example, all you have to do is change the ReportType parameter’s value from HTML to XML.

The sample below uses an existing GPO named Google Chrome to query it, generate an XML report, and open it using Invoke-Item in the default app for the XML file (probably your default browser).

# Save the GPO’s XML report as an XML file. Get-GPOReport -Name ‘Google Chrome’ -ReportType Xml -Path “C:tempGoogleChromeGpReport.xml” Get-GPOReport -Name ‘Google Chrome’ -ReportType Xml -Path “C:tempGoogleChromeGpReport.xml” # Invoke-Item -Path “C:TempGoogleChromeGpReport.xml” # Open the XML file

When you’re done, you’ll see the XML file that was created below.

The first thing you’ll notice is that the GPO XML node contains everything. Identifier (the GPO GUID), Name (the GPO Name), Include Comments, Security Descriptor, SDDL, and a lot more information may be found there.

Get-GpoReport returns an XML report.Get-GpoReport returns an XML report.

Investigating the GPO XML Report

Apart from the format, what distinguishes this XML report from HTML? The attributes in the XML report are the same as in the HTML report, but they are more organized and easier to understand (not for the human eye, but for an automation tool like PowerShell).

The XML report's XML nodesThe XML report’s XML nodes

  • VersionDirectory – This XML node displays the Active Directory database version of the GPO.
  • VersionSysvol – This XML node displays the GPO version in SYSVOL.
  • Enabled — This XML node specifies whether or not the GPO’s Computer and User sections are enabled. The Group Policy processing engine on the client computer will not implement the settings in the appropriate section of the GPO if this option is deactivated.

When you make a modification to a GPO, the policy’s version (computer or user) goes up. This enables the Group Policy processing engine to determine when a policy has changed and when new settings should be applied. This behavior enables you to execute gpupdate.exe without having to use the /force switch once a GPO has been altered.

These GPO properties will appear in the GPMC, as seen below.

The GPO version (for AD and SYSVOL) as well as its state may be seen in the GPMC (Disabled, Disabled for Computer, Disabled for User, or Enabled).The GPO version (for AD and SYSVOL) as well as its state may be seen in the GPMC (Disabled, Disabled for Computer, Disabled for User, or Enabled).

The GPO version (for AD and SYSVOL) as well as its state may be seen in the GPMC (Disabled, Disabled for Computer, Disabled for User, or Enabled).

All of these settings are critical for the consistency of GPOs and the speed with which GPOs are processed on client PCs.

A discrepancy between what’s seen in the GPMC and what’s stored in SYSVOL is indicated by a difference between the values of VersionDirectory and VersionSysvol. Detecting such inconsistencies may save you a lot of time and effort when debugging GPOs.

Even if there are no settings, a policy with VersionDirectory and VersionSysvol equal to 0 but Enabled set to true will be executed by the client. The processing engine will be informed that the related section of the GPO does not need to be applied by disabling it. This will have little effect on the performance of a fast computer connected to a decently fast network, but it may save valuable seconds in the event of numerous such GPOS, especially on slower networks.

The processing engine on the client machine will not apply a policy with VersionDirectory and VersionSysvol (ideally identical and) greater than 0 but Enabled set to false. This might be on purpose, but it’s worth investigating since you could be wondering why certain settings aren’t working.

With a basic understanding of GPO internals, you may use Get-GPOReport to check for these settings directly by referencing a property instead of going via the GPMC.

Perhaps you simply want to look at select settings in a GPO, or perhaps you’ll ultimately utilize PowerShell to connect a GPO to an OU without needing to write a report. Remove the Path argument in such scenario. There is no Path argument in the case below, and the [xml] cast is used.

Get-GPOReport -Name ‘YourGPOName’ -ReportType Xml $GpoXml = Get-GPOReport -Name ‘YourGPOName’ -ReportType Xml

You can now simply reference different properties using simple dot notation by turning the XML output of Get-GPOReport to an XML object.

# Verify the GPO’s Computer part’s version information. $GpoXml.GPO.Computer # Verify the version information for the $GpoXml.GPO.User section of the GPO.

The GPO components' computer and user versions, as well as their state (Computer and User).The GPO components’ computer and user versions, as well as their state (Computer and User).

Is it necessary to locate certain properties for all GPOs in a domain? It’s no issue. Using the All option, add a foreach loop to cycle across each GPO output.

# Get a list of all GPOs (but not all GPO Reports!) Get-GPO -All $AllGpos = Get-GPO -All $AllGpos = Get-GPO -All # Create a custom object that contains all of the information for each GPO component’s version and state of enablement. foreach ($g in $AllGpos) $GpoVersionInfo [xml] [xml] [xml] [xml] [ Get-GPOReport -ReportType Xml -Guid $Gpo = Get-GPOReport -ReportType Xml -Guid $Gpo = Get-GPOReport [PSCustomObject] $g.Id @ “Name” = $Gpo.GPO.Name “Comp-Ad” = $Gpo.GPO.Computer.VersionDirectory “Comp-Sys” = $Gpo.GPO.Computer.VersionSysvol “Comp Ena” = $Gpo.GPO.Computer.Enabled “Comp-Sys” = $Gpo.GPO.Computer.VersionSys “User-Ad” = $Gpo.GPO.User.VersionDirectory “User-Sys” = $Gpo.GPO.User.VersionSysvol “User Ena” = $Gpo.GPO.User.Enabled “User Ena” = $Gpo.GPO.User.Enabled “User Ena” = $Gpo. # Look at the outcome. $GpoVersionInfo | Sort-Object Name | Format-Table -AutoSize -Wrap $GpoVersionInfo | Format-Table -AutoSize -Wrap $GpoVersionInfo | Format-Table

All GPO components (Computer and User) in the AD Domain, including their versions and status.All GPO components (Computer and User) in the AD Domain, including their versions and status.

Parsing XML GPO Reports in-Depth

You may obtain insight into many different elements of your GPOs via the XML output that Get-GPOReport gives. Looking at the $GPOXML.GPO.Computer and $GPOXML.GPO.User properties from the previous example, you’ll see an ExtensionData property, as shown below.

Extension Data is included in the GPO's User section. Extension Data is included in the GPO’s User section.

You can notice that ExtensionData includes settings declared in the GPO if you look at the XML report created previously using the Path argument. The ExtensionData XML node references to the GPO’s numerous parameters.

ExtensionData's content, highlightedExtensionData’s content, highlighted

You may start building your own reports based on the XML data by accessing these XML nodes using PowerShell, as demonstrated below. This example runs over each user option in the Google Chrome GPO, only returning the Name, State, and Supported characteristics.

# Obtain the GPO Guidance (just like above) Id = $Id (Get-GPO -DisplayName “Google Chrome”). Id # Save the result in a (XML) variable [xml]. Get-GPOReport -Guid $GpoXml $Id -XmlReportType #Create a custom object that only contains the policy “fields” we care about. $PolicyDetails = foreach ($p in $GpoXml.GPO.User.ExtensionData.Extension.Policy) $PolicyDetails = foreach ($p in $GpoXml.GPO.User.ExtensionData.Extension.Policy) $PolicyDetails = [PSCustomObject] [PSCustomObject] [PSCustomObject] [PSCustomObject] [ @ “Name” = $p.Name “State” = $p.State “Supported” = $p.Supported @ “Name” = $p.Name “State” = $p.State “Supported” = $p.Supported Let’s see what happens. $PolicyDetails

Policy-based settings. It only contains the fields that are required (in this case Name, State, and OS Support info)Policy-based settings. It only contains the fields that are required (in this case Name, State, and OS Support info)

Getting a GPO Linked to an OU using PowerShell

Before we finish, let’s look at another brief example of how to use Get-GPOReport to see which OU(s) each GPO is connected to, as well as the status of each connection (Enabled or Disabled).

Always start by locating the properties you need to refer to. Examining an XML file created using the Path option is one of the simplest methods to do it. The XML layout below shows that there are several LinksTo nodes. These nodes have child nodes that provide information on the different GPO linkages.

The GPO Report includes a list of GPO Links.The GPO Report includes a list of GPO Links.

There may be many connections from the same GPO, as you can see (you can link the same GPO to different sites, domains or OUs). You must keep this in mind while you loop through the many links.

You may develop a script to parse the XML after you know the XML nodes to query, as illustrated below. The following example finds all GPOs in the domain, generates an XML output from them, and then reads the LinksTo XM node, returning the GPO’s name ($Gpo.GPO.Name), the OU’s path name ($i.SOMPath), and if it’s enabled ($i.Enabled).

# Get a list of all GPOs (but not all GPO Reports!) Get-GPO -All $AllGpos = Get-GPO -All $AllGpos = Get-GPO -All # Make a custom object that contains all of the GPOs and their connections (separate for each distinct OU) foreach ($g in $AllGpos) $GpoLinks = foreach ($g in $AllGpos) $GpoLinks = foreach ($g in $ [xml] [xml] [xml] [xml] [ Get-GPOReport -ReportType Xml -Guid $Gpo = Get-GPOReport -ReportType Xml -Guid $Gpo = Get-GPOReport foreach I in $Gpo.GPO.LinksTo) $g.Id [PSCustomObject] [PSCustomObject] [PSCustomObject] [PSCustomObject] [ @ “Name” = $Gpo.GPO.Name “Link” = $i.SOMPath “Link Enabled” = $i.Enabled # View all GPOs and their associated links. Sort-Object Name | $GpoLinks

When you’re done, look at the result below. Because it is tied to three separate OUs, Google Chrome appears three times in the report. It’s also worth noting that the link for the Servers OU is disabled.

A free read-only Password Auditor scan from Specops will check your Active Directory for 750M+ known leaked credentials.

Each OU to which the GPOs are tied, as well as the state of each connection. Each OU to which the GPOs are tied, as well as the state of each connection.

Additional Reading

Once you’ve mastered Get-GPOReport, you may want to look at additional Group Policy cmdlets to aid you in your quest to administer Group Policies.

The “powershell get-gpo applied to computer” is a PowerShell command that will export all the GPOs on your computer. You can then use this report to create a fancy GPO report.

Frequently Asked Questions

How do I get Group Policy report in PowerShell?

A: In PowerShell, you can use the Group Policy cmdlets to find instances of restricted groups. The most common way is by using Get-ADComputer and searching for Restricted in its group membership attribute (see below).

How do I export a GPO report?

A: You can export GPO reports by going to the Reports menu in your preferences and clicking on Export.

How do I create a GPO report?

A: To create a GPO report, follow these steps. 1) Log in to your computer using the same Microsoft account that you used for your PSVR headset 2) Go to C:\Users\[Your Name]\AppData\Roaming 3) Select Windows 4) Right click on GPOdefs.xml 5) Open with Notepad 6) Copy all of the contents and paste it at https://gpoaccess.com/create

Related Tags

  • export all gpo to html
  • how to export group policy in csv
  • get-gporeport export-excel
  • powershell create gpo
  • get-gpo linked to ou powershell