Tuesday, October 5, 2010

GPO Scripts – Comparing 2 GPOs

Many times one needs to create very similar policies to address different OUs in a domain due to policy inheritance blocks etc. Then no matter how many times you cross check the settings between the 2 policies or how careful you are in typing in the values, one either forgets a key value or consumes so much time in doing the cross checks that it doesn't seem worth the effort. J
The following Powershell script from the Technet Script Center addresses that problem. The script requires 5 parameters to work.
-domain Your.domain.here
-server Which DC to use
-gponame GPO Name1, GPO Name 2
-folder Folder to contain output
-user or -computer (Whether you want to look at the user or computer portion of the GPO)
Note: for this script to work you need the Group Policy Management Feature installed on your computer. Enjoy.
# -----------------------------------------------------------------------------
# Compare-GPO.ps1
# ed wilson, msft, 7/13/2010
# HSG-07-15-2010
# -----------------------------------------------------------------------------
#requires -version 2.0
[string]$domain ="nwtraders.com",
[string]$server = "dc1.nwtraders.com",
[string]$gponame = "aTestOuGPO,AnotherTestOuGPO",
[string]$folder = "c:\fso",

Function Get-MyModule
if(-not(Get-Module -name $name))
if(Get-Module -ListAvailable |
Where-Object { $_.name -eq $name })
Import-Module -Name $name
} #end if module available then import
else { $false } #module not available
} # end if not module
else { $true } #module already loaded
} #end function get-MyModule

Function Get-GPOAsXML
$gpoReports = $null
ForEach($gpo in $gpoName)
$path = Join-Path -Path $folder -ChildPath "$gpo.xml"
(Get-GPO -Name $gpo -Domain $domain -Server $server).`
[array]$gpoReports + $path
Return $gpoReports
} #end get-gpoasxml

Function Compare-XMLGPO
Param([string[]]$gpoReports, $user, $computer)
[xml]$xml1 = Get-Content -Path $gpoReports[0]
[xml]$xml2 = Get-Content -Path $gpoReports[1]
$regpolicyComputerNodes1 = $xml1.gpo.Computer.extensiondata.extension.ChildNodes |
Select-Object name, state

$regpolicyComputerNodes2 = $xml2.gpo.Computer.extensiondata.extension.ChildNodes |
Select-Object name, state

$regpolicyUserNodes1 = $xml1.gpo.User.extensiondata.extension.ChildNodes |
Select-Object name, state
$regpolicyUserNodes2 = $xml2.gpo.User.extensiondata.extension.ChildNodes |
Select-Object name, state
Try {
"Comparing Computer GPO's $($gpoReports[0]) to $($gpoReports[1])`r`n"
Compare-Object -ReferenceObject $regpolicyComputerNodes1 `
-DifferenceObject $regpolicyComputerNodes2 -IncludeEqual `
-property name}
Catch [system.exception]
"Computer GPO $($gpoReports[0]) settings `r`f"
else { "Computer GPO $($gpoReports[0]) not set" }
"Computer GPO $($gpoReports[1]) settings `r`f"
else { "Computer GPO $($gpoReports[1]) not set"}
} #end catch
} #end if computer
Try {
"Comparing User GPO's $($gpoReports[0]) to $($gpoReports[1])`r`n"
Compare-Object -ReferenceObject $regpolicyUserNodes1 `
-DifferenceObject $regpolicyUserNodes2 -SyncWindow 5 -IncludeEqual `
-property name}
Catch [system.exception]
"User GPO $($gpoReports[0]) settings `r`f"
else { "User GPO $($gpoReports[0]) not set" }
"User GPO $($gpoReports[1]) settings `r`f"
else { "User GPO $($gpoReports[1]) not set"}
} #end catch
} #end function compare-XMLGPO

# *** Entry Point to Script ***

if(-not ($user -or $computer))
{ "Please specify either -computer or -user when running script" ; exit}
If(-not (Get-MyModule -name "GroupPolicy")) { exit }

$gpoReports = Get-GpoAsXML -gponame $gponame.split(",") -server $server `
-domain $domain -folder $folder

Compare-XMLGPO -gpoReports $gpoReports -user $user -computer $computer

No comments:

Post a Comment