Derek Newton

Information security insights and other ramblings

Quick Tip: Using PowerShell to generate a GPO report

by 10 Comments

Someone asked me today how to easily export a readable report of all GPOs applied to a system (they were performing a security audit and needed an easy to way to script this).  Of course, I immediately thought of PowerShell!  So, here’s how you can export a readable report of all GPOs applied to a system in question in PowerShell:

> Import-Module GroupPolicy
> Get-GPOReport -All -ReportType Html -Path AllGPOsReport.htm

Of course, you can also use Get-GPOReport to generate a report for a specific GPO and/or export as XML, if you prefer.

Comments

  1. Group Policy Cmdlet Prerequisites

    To use the Windows PowerShell cmdlets for Group Policy, you must be running one of the following:

    Windows Server 2008 R2 on a domain controller

    –or–

    Windows Server 2008 R2 on a member server that has the GPMC installed

    –or–

    Windows® 7 with Remote Server Administration Tools (RSAT) installed. (RSAT includes the GPMC and the Group Policy cmdlets)

    http://technet.microsoft.com/en-us/library/ee461027.aspx

    Reply

    • Thanks Jim – that’s a good non-PowerShell way to get a human readable GPO report as well (of course, all good things don’t come in a PowerShell package :)).

      Reply

  3. If you want the group policies exported to separate HTML files you can use the following command:

    Get-GPO -all | % { Get-GPOReport -GUID $_.id -ReportType HTML -Path “[PATH]\($_.displayName).html” }

    For example:
    Get-GPO -all | % { Get-GPOReport -GUID $_.id -ReportType HTML -Path “C:\report\($_.displayName).html” }

    Reply

    • small correction (variable expansion):

      If you want the group policies exported to separate HTML files you can use the following command:

      Get-GPO -all | % { Get-GPOReport -GUID $_.id -ReportType HTML -Path “[PATH]\$($_.displayName).html” }

      For example:
      Get-GPO -all | % { Get-GPOReport -GUID $_.id -ReportType HTML -Path “C:\report\$($_.displayName).html” }

      anyway, thanks for this usefull tip

      Reply

    • I think you are missing a $ sign after the second backslash in the path. Should be “C:\report\$($_.displayName).html”

      Reply

    • In my environment this example is correct:
      Get-GPO -all | % { Get-GPOReport -GUID $_.id -ReportType HTML -Path (‘C:\report\’+($_.displayName)+’.html’) }

      Reply

    • The above example wouldn’t work for me… the following did

      Get-GPO -all | % { Get-GPOReport -GUID $_.id -ReportType HTML -Path “C:\report\$($_.DisplayName).html” }

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.