One of the cool things about our GPO Compare product is it’s support for PowerShell. The product ships with a PowerShell cmdlet called Compare-SDMGPO that lets you compare live and backed-up GPOs–just like the GUI. We can use this capability to automate the comparison of live GPOs to baseline backups. For example, let’s say you have a baseline template GPO backup from one of Microsoft’s best practices security guides and you want to know if your live GPOs are deviating from that. You can very easily create a PowerShell script that checks the baseline backup against live GPOs. If you put this in a Scheduled Task to run periodically, and leverage the PowerShell Send-MailMessage cmdlet to notify you when changes are detected, you have a ready-made “early-warning system” for GPO changes against a baseline. Here’s what a script like this would look:
$diff = (Compare-SDMGPO -BackupIDA “{A059FCE4-310F-4618-B8B9-F62053D4C464}” -LocationA “C:\data\gpbackups\Baseline” -GPONameB “Desktop Policy”) if ($diff -ne $null) {Send-MailMessage -To gpochanges@cpandl.com -Subject “A GPO was changed from the baseline” -From admin@cpandl.com -Body $diff -SmtpServer “smtp.cpandl.com”}The first line calls Compare-SDMGPO and compares a GPMC backup of a Baseline GPO (indicated by the -BackupIDA and -LocationA parameters) to a live GPO called “Desktop Policy” that was created from the backup and we assign the results of the comparison to the variable called $diff. In the second line, we test to see if $diff is not equal to null (meaning that there are differences). If we find it has differences, we call Send-MailMessage to send an email to a distribution list and we put the $diff object into the body of the email.
Darren
NOV
About the Author:
Darren Mar-Elia is CTO & Founder of SDM Software, Inc. Darren has over 25 years of IT and Software experience in the Microsoft technology area, including serving as a Director in Infrastructure at Charles Schwab, CTO of Windows Management Solutions at Quest Software, and Sr. Director of Product Engineering at DesktopStandard. He has been a Microsoft MVP in Group Policy technology for the last 6 years and has written and spoken on Active Directory, Group Policy and PowerShell topics frequently over the years. He maintains the popular Group Policy resource web site at www.gpoguy.com and has been a contributing editor for Windows IT Pro Magazine since 1997. He has written and contributed to twelve books on Windows. Darren also speaks frequently at conferences on Windows infrastructure topics.