Alternative of GroupPolicy

Hi, I am trying to build a script to read selected group policies from a text file.

I understand the most common approach will be using GroupPolicy module but it is required to download RSAT. (Correct me if i’m wrong)

Due to the scope of my project, I am unable to install RSAT as not all test cases allows installation of RSAT if it is not installed on the server.

Is there any other alternatives or approach I can use to read group policies?

Thanks!

Hi lIlIlIlIlI,
welcome to the forums.

To read something from a text file you can use

On Windows 10 it’s not a download it’s a Windows Feature you can install with a PowerShell command.

What actually is the scope of your project? :wink: What is it what you want to achieve? What have you tried so far?

I will need validate the values read from Group Policy and my text file and compare with my own values to see if it matches. It will not be possible for me to install on other computers/servers in order to run my script.

I only tried the GroupPolicy’s module (Get-GPO and etc…) but upon realizing it requires some installation, I started looking for alternatives which I can’t seem to find…

You know there is no built in way to actually read the content of a given GPO, don’t you? You would need to parse the XML output from Get-GPOReport to actually see what’s inside a GPO.

I still did not get what you actually want to achieve and why or what for.

Its sort of automating an auditing process. Reading the GPO and validating it against certain benchmarks.

Hmmm, still don’t get it. Could you share an example?

Anyway, try to run the following snippet on a client where you have the according cmdlets available to see what I mean:

Get-GPO -All | Select-Object -First 1 | 
Get-GPOReport -ReportType Xml

The script should then be able to read my file with audit’s GPO data and also extract the GPO from the system and compare to see if it meets the requirement of having X minimum character as password.

e.g.
Auditing Benchmark
GPO name: PasswordMinLength
Value: 8

XYZ System
GPO name: PasswordMinLength
Value: 10

Upon comparison, the system’s GPO passes the GPO benchmark.

I understand that Get-GPO would be the best solution but in the scenario where the system has restrictions and prevents me from installing or enabling the RSAT feature for GPO module?

Is there a way to work around it?

By deafult the cmdlet Get-GPO reads the information about GPOs from the AD. You can specify a particular domain or a particular server but you don’t have to run this cmdlet on a server. It can (actually it should) run from any domain joined client with the RSAT module installed.

But … the difficult part of the job would be to parse the GPOs to find the setting you’re after. :wink: As far as I know there is no built in or even easy way to do that.

Depends. If your policies are under security policies, then secedit.exe will help.

secedit commands | Microsoft Docs