Create lists of GPO settings with Powershell
The other day I had to finish off the documentation for a XenApp 6.5 Implementation I did a couple of months back for one of our customers. Of course group policies are a configuration item, I wanted to have in that document.
What I did not want was the default format that the Group Policy Management Console offers in its HTML Reports of GPO settings.
What else could I do?
Of course there is the option to create an XML export with the Group policy module imported into PowerShell.
The problem is, the output can’t be parsed generically, instead parsing has to be done individually for each type of Settings.
The first step is to export all GPOs to xml files and copy them somewhere I have access to without the need of being a Domain Admin.
1
|
import -module grouppolicy(get-gpo -all|select displayname)|%{get-gporeport -name $_.displayname -reporttype xml -path $path |
1
|
$xml = (gc $filename) |
The content of $xml is the base for an XPath query searching for the Node “Extension”.
1
|
$nsmgr = New-Object System.XML.XmlNamespaceManager($xml.NameTable) $nsmgr.AddNamespace( 'root' , 'http://www.microsoft.com/GroupPolicy/Settings' )$settings = [array]$xml.SelectNodes( '//root:Extension' ,$nsmgr) |
Next step is to read the type of the GPO (f.e: RegistrySettings, FolderRedirectionSettings, SecuritySettings, DriveMapSettings …)
1
|
$types = $settings|select -ExpandProperty type|%{$_.split( ":" )[1]} |
To convert the actual settings of a random type into something that is easy to read, each of those types must be inspected in order to develop a mini parser for it. Two simple examples are “Registry Settings” and “Internet Explorer Settings”
Type = RegistrySettings
1
|
$settings|?{$_.type -match "RegistrySettings" }|%{$_.RegistrySettings.Registry}|select -expand Properties |
Type = InternetExplorerSettings
1
|
$settings|%{$_.FavoriteURL|select Name, URL} |
An example for a more complicated structure is “Securitysettings”
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
$kname = $settings|%{$_.SecurityOptions|select -expand KeyName} $dname = $settings|%{$_.SecurityOptions.Display.DisplayString} For ($i=0;$i -lt $kname.length;$i++){ $out += ($kname[$i],$dname[$i] -join ( "," ))} $out|Out-File -FilePath $outputfile -Append $outgroups = @() $outgroups += "" $outgroups += "Restricted Group" + ";" + "Members" $outgroups += "" $restrgroups = $securitysettings|%{$_.RestrictedGroups.Groupname.Name|select -expand "#text" } for ($j=0;$j -lt $restrgroups.length;$j++){ $securitysettings.RestrictedGroups|?{$_.GroupName.Name. "#text" -match "$($restrgroups[$j].split(" \\ ")[1])" }|%{ $restrgroupmembers = ($_.Member.Name|select -expand "#text" ) -join ( "," ) $outgroups += $restrgroups[$j] + ";" + $restrgroupmembers}} $outgroups += "" $outgroups|Out-File -FilePath $outputfile -Append $settings|?{$_.type -match "Account" }|%{$_.Account}|select Name,SettingBoolean,Type |
After I have determined “Type” (and if necessary “Name”) of each node,
I run a switch Loop and call a function depending on “Type” (I have already finished the below types, there are heaps more).
1
2
3
4
5
6
7
8
9
10
11
12
|
if ($nroftypes -gt 1){ for ($i=0;$i -lt $nroftypes;$i++){ switch ($types[$i]) { RegistrySettings {get-RegistrySettings} FolderRedirectionSettings {get-FolderRedirectionSettings} SecuritySettings {get-securitysettings} InternetExplorerSettings {get-InternetExplorerSettings} DriveMapSettings {get-DriveMapSettings} } } } |
The Output looks like the following:
U_XenApp_General_Settings is linked to: domain-fqdn/Servers/Citrix
GPO Type InternetExplorerSettings
Empower HR System http://go/ess
Helpdesk http://go/Helpdesk
Admin http://go/Admin
Trading http://go/ti
GPO Type RegistrySettings
action : R
displayDecimal : 0
default : 0
hive : HKEY_CURRENT_USER
key : Software\Microsoft\Communicator
name : AutoRunWhenLogonToWindows
type : REG_DWORD
value : 00000000
Values :
GPO Typ RegistrySettings
Intranet Sites: Include all sites that bypass the proxy server Enabled
Intranet Zone Template Enabled
Site to Zone Assignment List Enabled
…