Find specific setting in GPO

PowerShell Help
1

Hi,
I’m a Exchange Administrator, now I was given the tasks to validate a new Desktop image with Windows 10 and Office 2016, with get-gpresultantsetofpolicy, get-gporeport, I found out what GPO are configured and export to HTML and XML. I now this GPO are build based on old GPO.

Is there any other way to find all outlook settings in a GPO with out parse the XML file (From the Get-GPOReport)?
Parsing XML is very hard for me.

Thanks
António

2

Well, it is a file, so if you are after only specific info, then you have to parse it.

Parsing XML an be a challenge…

blogs.technet.com/b/heyscriptingguy/archive/2012/03/26/use-powershell-to-parse-an-xml-file-and-sort-the-data.aspx

…but as long as you know what tagged area you want, it’s fairly straight forward. Well, depending on how that XML file is defined. For example the simple example one…

$doc = [xml]@’

'@
$doc.xml.Section.BEName

Or more dynamically

[xml]$XmlContent = Get-Content variable:\doc
$XmlContent.xml.Section.BEName

I have no GPO for Outlook configs, so I cannot say what that would look like.
Yet, using a general output from a workstation…

Using the cmdlets

$GpoReport = $env:COMPUTERNAME + ‘_’ + ‘GpoAll.xml’
Get-GPOReport -All -ReportType XML -Path “c:\Temp$GpoReport”
[xml]$GpoContent = Get-Content -Path c:\temp$GpoReport

So, now that we have the content in a variable, we can start navigating the report

Root element / node

$GpoContent

xml report
— ------ version=“1.0” encoding=“utf-16” report

child element / node… and so on…

$GpoContent.report

GPO

{Default Domain Policy, Default Domain Controllers Policy}

$GpoContent.report.GPO

xsd : XML Schema
xsi : http://www.w3.org/2001/XMLSchema-instance
xmlns : http://www.microsoft.com/GroupPolicy/Settings
Identifier : Identifier
Name : Default Domain Policy
IncludeComments : true
CreatedTime : 2017-04-01T00:02:13
ModifiedTime : 2017-04-01T00:07:20
ReadTime : 2017-11-19T07:58:53.2761454Z
SecurityDescriptor : SecurityDescriptor
FilterDataAvailable : true
Computer : Computer
User : User
LinksTo : LinksTo

xsd : XML Schema
xsi : http://www.w3.org/2001/XMLSchema-instance
xmlns : http://www.microsoft.com/GroupPolicy/Settings
Identifier : Identifier
Name : Default Domain Controllers Policy
IncludeComments : true
CreatedTime : 2017-04-01T00:02:13
ModifiedTime : 2017-10-30T03:49:12
ReadTime : 2017-11-19T07:58:56.8300864Z
SecurityDescriptor : SecurityDescriptor
FilterDataAvailable : true
Computer : Computer
User : User
LinksTo : LinksTo

$GpoContent.report.GPO | Select User
$GpoContent.report.GPO | Select User -First 1

User

User

($GpoContent.report.GPO)[0]

xsd : XML Schema
xsi : http://www.w3.org/2001/XMLSchema-instance
xmlns : http://www.microsoft.com/GroupPolicy/Settings
Identifier : Identifier
Name : Default Domain Policy
IncludeComments : true
CreatedTime : 2017-04-01T00:02:13
ModifiedTime : 2017-04-01T00:07:20
ReadTime : 2017-11-19T07:58:53.2761454Z
SecurityDescriptor : SecurityDescriptor
FilterDataAvailable : true
Computer : Computer
User : User
LinksTo : LinksTo

($GpoContent.report.GPO)[0].Computer
<#
VersionDirectory VersionSysvol Enabled ExtensionData

3 3 true {Security, Public Key, Registry}

($GpoContent.report.GPO)[0].Computer.ExtensionData

Extension Security
Extension Public Key
Extension Registry

($GpoContent.report.GPO)[0].Computer.ExtensionData.Extension
<#
q1 type Account SecurityOptions

http://www.microsoft.com/GroupPolicy/… q1:SecuritySettings {ClearTextPassword, LockoutBadCount, … {q1:SecurityOptions, q1:SecurityOptio…
q2:PublicKeySettings
q3:RegistrySettings

($GpoContent.report.GPO)[0].Computer.ExtensionData.Extension.Account | ft -AutoSize

Name SettingBoolean Type

ClearTextPassword false Password
LockoutBadCount Account Lockout
MaximumPasswordAge Password
MinimumPasswordAge Password
MinimumPasswordLength Password
PasswordComplexity true Password
PasswordHistorySize Password
MaxClockSkew Kerberos
MaxRenewAge Kerberos
MaxServiceAge Kerberos
MaxTicketAge Kerberos
TicketValidateClient true Kerberos

You can also, just search the XML doc directly for string matches.

Select-String -Path "c:\temp$GpoReport" -Pattern Password

3

Well, it’s a file, and if you are after specific parts of it, you are going to have to parse it.

See these articles —

blogs.technet.com/b/heyscriptingguy/archive/2012/03/26/use-powershell-to-parse-an-xml-file-and-sort-the-data.aspx
Search XML files with PowerShell using Select-XML | Petri IT Knowledgebase

XML can be a challenge, but once you have it as an object navigation is fairly straight forward. Well, as long as that XML is well structured.

$doc = [xml]@’
‘Some XML doc pasted here’
'@
$doc.xml.Section.BEName

Or more dynamically

[xml]$cn = Get-Content variable:\doc
$cn.xml.Section.BEName

Using the cmdlets

$GpoReport = $env:COMPUTERNAME + ‘_’ + ‘GpoAll.xml’
Get-GPOReport -All -ReportType XML -Path “c:\Temp$GpoReport”
[xml]$GpoContent = Get-Content -Path c:\temp$GpoReport

Navigating the report

$GpoContent

$GpoContent.report

$GpoContent.report.GPO

$GpoContent.report.GPO | Select User
$GpoContent.report.GPO | Select User -First 1

($GpoContent.report.GPO)[0]

($GpoContent.report.GPO)[0].Computer

($GpoContent.report.GPO)[0].Computer.ExtensionData

($GpoContent.report.GPO)[0].Computer.ExtensionData.Extension

($GpoContent.report.GPO)[0].Computer.ExtensionData.Extension.Account | ft -AutoSize

Select-String -Path “c:\temp$GpoReport” -Pattern Password

4

There is an excel spreadsheet with all the gpo’s, not just the ones set: https://www.microsoft.com/en-us/download/details.aspx?id=25250

get-gpresultantsetofpolicy won’t do the trick, or gpresult? There’s also a powershell module to read the local .pol files: http://brandonpadgett.com/powershell/Local-gpo-powershell/

5

I want to use powershell to monitor changes automatically, thanks you

6

Thank you.
This is what I got so far:

[xml]$GpoReport = Get-Content "C:\GPO\newwin10.xml"
[XML]$GpoReport = Get-GPOReport -Name Win10Test-V2 -ReportType xml

$RegistryNamespace = @{ RegistrySettings="http://www.microsoft.com/GroupPolicy/Settings/Registry" }
$RegistrySettings = Select-Xml -Xml $GpoReport -Namespace $RegistryNamespace -XPath "//RegistrySettings:RegistrySetting"
$OutlookSettings = $RegistrySettings | Select -ExpandProperty Node | Where KeyPath -like "*Outlook*"

$All = foreach ( $R in $OutlookSettings ) {
    $Values = $R | Select -ExpandProperty Value | Select Name, Number, ExpString, String
    $Values | Add-Member -Name KeyPath    -MemberType NoteProperty -Value $R.KeyPath
    $Values | Add-Member -Name AdmSetting -MemberType NoteProperty -Value $R.AdmSetting
    $Values | Add-Member -Name Prefix -MemberType NoteProperty -Value $R.Prefix
    $Values
    Remove-Variable Values
}
$All | Out-GridView

Still have to transformer into a function but I believe most of the work already done. New I have to get the Group Policy Preferences setting, using the Get-GPPrefRegistryValue cmdlts