There are lot’s of resources that show how to do GPO search with PS, those settings notwithstanding.
MS powershellgallery.com even has scripts for sort of search.
Search all GPOs in a domain for a string
This is a simple Powershell script that uses the Group Policy cmdlets to search for a string within GPOs. The only input is the string to search for.
'gallery.technet.microsoft.com/scriptcenter/Search-all-GPOs-in-a-b155491c'
As well as others have provided samples to experiment with… Examples I’ve looked into previously…
thanks postanote. The “search String” ps1 is slick but won’t find if a setting is set. I tested it using the search string “Enforce password” for which I know we have implemented in our Default Domain policy, yet the ps1 doesn’t find this setting.
GPO Setting Search Powershell Example
'activedirectory.ncsu.edu/advanced-topics/scripting-center/gpo-setting-search-powershell-example'
This one seems helpful provided I plug in the correct paramters however, I have yet to corroborate those with what I am seeking.
All 3 of the settings are found here: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
and the settings I want to see if enabled are:
Set Domain member: Digitally encrypt or sign secure channel data (always) to Enabled.
Set Domain member: Digitally encrypt secure channel data (when possible) to Enabled.
Set Domain member: Digitally sign secure channel data (when possible) to Enabled.
You may have to check the registry entries themselves, and use process monitor (filter category = write) to figure out what registry changes happen. This is one of them:
Time of Day Process Name PID Operation Path Result Detail
2:27:46.8702663 PM services.exe 692 RegSetValue HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal SUCCESS Type: REG_DWORD, Length: 4, Data: 1
but this approach seems to be getting information from a computer that has received the setting and I’m 1) only running the script on the PDC (not a servers registry for the value) and 2) not querying the registry.
With hundreds of GPOs sitting in Sysvol, I want to query if any of those GPOs has the 3 settings set. These settings may in fact not be set. I’d like to ascertain that.
Maybe there’s some way to explore the adobjects (group policy container?) of a gpo with the settings you’re interested in. This is as far as I know. I was thinking of automating deploying printers, but never got it to work.