BLOG
Wissenstransfer von IT-Spezialisten
| |

Create lists of GPO settings with Powershell

The other day I had to finish off the documentation for a XenApp 6.5 Implementation I did a couple of months back for one of our customers.  Of course group policies are a configuration item, I wanted to have in that document.
What I did not want was the default format that the Group Policy Management Console offers in its HTML Reports of GPO settings.
What else could I do?
Of course there is the option to create an XML export with the Group policy module imported into PowerShell.
The problem is, the output can’t be parsed generically, instead parsing has to be done individually for each type of Settings.
The first step is to export all GPOs to xml files and copy them somewhere I have access to without the need of being a Domain Admin.

1
import-module grouppolicy(get-gpo -all|select displayname)|%{get-gporeport -name $_.displayname -reporttype xml -path $path
1
$xml = (gc $filename)

The content of $xml is the base for an XPath query searching for the Node “Extension”.

1
$nsmgr = New-Object System.XML.XmlNamespaceManager($xml.NameTable) $nsmgr.AddNamespace('root','http://www.microsoft.com/GroupPolicy/Settings')$settings = [array]$xml.SelectNodes('//root:Extension',$nsmgr)

Next step is to read the type of the GPO (f.e: RegistrySettings, FolderRedirectionSettings, SecuritySettings, DriveMapSettings …)

1
$types = $settings|select -ExpandProperty type|%{$_.split(":")[1]}

To convert the actual settings of a random type into something that is easy to read, each of those types must be inspected in order to develop a mini parser for it. Two simple examples are “Registry Settings” and “Internet Explorer Settings”

Type = RegistrySettings

1
$settings|?{$_.type -match "RegistrySettings"}|%{$_.RegistrySettings.Registry}|select -expand Properties

Type = InternetExplorerSettings

1
$settings|%{$_.FavoriteURL|select Name, URL}

An example for a more complicated structure is “Securitysettings”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$kname = $settings|%{$_.SecurityOptions|select -expand KeyName}
$dname = $settings|%{$_.SecurityOptions.Display.DisplayString}
For ($i=0;$i -lt $kname.length;$i++){
$out += ($kname[$i],$dname[$i] -join (","))}
$out|Out-File -FilePath $outputfile -Append
$outgroups = @()
$outgroups += ""
$outgroups += "Restricted Group" + ";" + "Members"
$outgroups += ""
$restrgroups = $securitysettings|%{$_.RestrictedGroups.Groupname.Name|select -expand "#text"}
for ($j=0;$j -lt $restrgroups.length;$j++){
$securitysettings.RestrictedGroups|?{$_.GroupName.Name."#text" -match "$($restrgroups[$j].split("\\")[1])"}|%{
$restrgroupmembers = ($_.Member.Name|select -expand "#text") -join (",")
$outgroups += $restrgroups[$j] + ";" + $restrgroupmembers}}
$outgroups += ""
$outgroups|Out-File -FilePath $outputfile -Append
$settings|?{$_.type -match "Account"}|%{$_.Account}|select Name,SettingBoolean,Type

After I have determined “Type” (and if necessary “Name”) of each node,
I run a switch Loop and call a function depending on “Type” (I have already finished the below types, there are heaps more).

1
2
3
4
5
6
7
8
9
10
11
12
if ($nroftypes -gt 1){
 for ($i=0;$i -lt $nroftypes;$i++){
  switch ($types[$i])
  {
    RegistrySettings {get-RegistrySettings}
    FolderRedirectionSettings {get-FolderRedirectionSettings}
    SecuritySettings {get-securitysettings}
    InternetExplorerSettings {get-InternetExplorerSettings}
    DriveMapSettings {get-DriveMapSettings}
  }
 }
}

The Output looks like the following:

U_XenApp_General_Settings is linked to: domain-fqdn/Servers/Citrix

GPO Type InternetExplorerSettings

Empower HR System                http://go/ess
Helpdesk                                     http://go/Helpdesk
Admin                                          http://go/Admin
Trading                                        http://go/ti

GPO Type RegistrySettings

action                      : R
displayDecimal      : 0
default                    : 0
hive                          : HKEY_CURRENT_USER
key                           : Software\Microsoft\Communicator
name                       : AutoRunWhenLogonToWindows
type                         : REG_DWORD
value                       : 00000000
Values                     :

GPO Typ RegistrySettings

Intranet Sites: Include all sites that bypass the proxy server        Enabled
Intranet Zone Template                                                                       Enabled
Site to Zone Assignment List                                                               Enabled
…