Forum Discussion
Policy Analyzer - Compare all settings
- Policy Analyzer analyzes GPO backups, so a setting needs to be configured in one or more GPOs for it to show in a comparison.
Here's am example script that demonstrates how you can accomplish this:
# Define the names of the GPOs to compare
$referenceGPO = "ReferenceGPO"
$backupGPO = "BackupGPO"
# Get the policies from the reference GPO
$referencePolicies = Get-GPO -Name $referenceGPO | Get-GPOReport -ReportType Xml | Select-Xml -XPath "//GPO/ComputerConfiguration/Settings/*"
# Get the policies from the backup GPO
$backupPolicies = Get-GPO -Name $backupGPO | Get-GPOReport -ReportType Xml | Select-Xml -XPath "//GPO/ComputerConfiguration/Settings/*"
# Compare the policies
$addedPolicies = Compare-Object -ReferenceObject $referencePolicies -DifferenceObject $backupPolicies -Property Name -PassThru | Where-Object { $_.SideIndicator -eq "=>" }
$removedPolicies = Compare-Object -ReferenceObject $referencePolicies -DifferenceObject $backupPolicies -Property Name -PassThru | Where-Object { $_.SideIndicator -eq "<=" }
# Display the added policies
Write-Host "Added Policies:"
$addedPolicies | ForEach-Object { Write-Host $_.Name }
# Display the removed policies
Write-Host "Removed Policies:"
$removedPolicies | ForEach-Object { Write-Host $_.Name }
```
In this script, you need to replace "ReferenceGPO" and "BackupGPO" with the actual names of the GPOs you want to compare. The script retrieves the policies of each GPO using `Get-GPO` and `Get-GPOReport` cmdlets. Then, it compares the policies using `Compare-Object` and filters the added and removed policies based on the `SideIndicator` property.
The added policies are displayed first, followed by the removed policies. You can modify the script to suit your specific requirements, such as comparing user configuration policies or exporting the results to a file.
Note: The script compares the policies at the computer configuration level. If you want to compare user configuration policies, you can modify the XPath expression to "//GPO/UserConfiguration/Settings/*".
Thank you for sharing the script. This is very much appreciated.
Get-GPOReport will only show applied policy settings. I would like to have all policies around 3000+ (including applied and not applied) to be displayed. Is it possible?
Thank you in advance.
- Policy Analyzer analyzes GPO backups, so a setting needs to be configured in one or more GPOs for it to show in a comparison.
- Thank you AaronMargosis_Tanium. I agree but I would like to display all without configuring each setting. I am hoping there's a way either Policy Analyzer or other tools like PowerShell.
- What you need to do is to merge the Policy Analyzer results (each .PolicyRules file is just an XML document) with a full listing of all available GPO settings. I don't know of any publicly available tools to get all those in an XML, but perhaps you could do something with the Excel spreadsheet that ships with the baselines that lists all the settings.
AaronMargosis_Tanium I agree with you.
jemfernandezIt is hard to get want you need with PowerShell.
Policy Analyzer is a powerful tool that provides a comprehensive analysis of Group Policy objects.You can download Policy Analyzer from the Microsoft Download Center (https://www.microsoft.com/en-us/download/details.aspx?id=55319). Once installed, you can use it to compare GPO backups and analyze the policies within them.
Here's how you can use Policy Analyzer to compare GPOs:
- Launch Policy Analyzer.
- Click on "Open" and select the first GPO backup file.
- Click on "Open" again and select the second GPO backup file.
- Policy Analyzer will analyze the GPOs and display a comparison report.
- The report will show all the policies in the GPOs, including applied and not applied settings, and highlight any differences or conflicts between them.
- (That's not how Policy Analyzer works. There's no "Open," for example. The actual mechanism is described in the PDF that comes with the tool. You should try it out! It's pretty darn cool! 🙂 )