Blog

Comparing Group Policy (GPO) Settings from PowerShell

One of the cool things we added in the new version of GPO Compare 2.0 was support for a PowerShell interface. GPO Compare 2.0 is all about letting you compare GPO settings across two live or backed up GPOs. The PowerShell interface lets you perform these comparisons in bulk! The product ships with a cmdlet called Compare-SDMGPO which, in the simplest form, lets you do something like this:

Compare-SDMGPO -GPONameA “Default Domain Policy” -GPONameB “Default Domain Controllers Policy”

This command above, as it implies, will compare the settings in the Default Domain Policy GPO with those in the Default Domain Controllers Policy GPO in the current domain. The output of the comparison is a custom object that contains the path to the setting, the value in GPO A, the value in GPO B and the type of diference the item is (e.g. different between A & B, missing in A or missing in B). An example of the output is shown here:

Example output of a GPO Comparison in PowerShell

The cmdlet also provides other options, similar to the GUI. For example, you can pick different domains to compare GPOs against, you can compare both live and backup GPOs and you can alter the delimiter in the GPO path from the default “|” character to anything you choose. You can also choose to include or exclude (the default) metadata associated with the GPO. Metadata are things like links, security filters and GPO status.

The power of this cmdlet is in it ability to support bulk comparisons. For example, if you wanted to compare a large number of GPOs, it could be tedious to do that through the UI, but with PowerShell and Compare-SDMGPO, its a snap. And, if you want to output your comparisons to CSV, PowerShell makes it easy, like so:

compare-sdmgpo -GpoNameA “Default Domain Policy” -GpoNameB “Default Domain Controllers Policy” | export-csv c:datacompare1.csv

Gotta love when two great technologies–PowerShell and Group Policy–come together!

Darren

10
OCT

Categories: Cool New Products, Group Policy, PowerShell, sdm software

Tags: GPO Compare, Group Policy, PowerShell, sdm software

About the Author:

Darren Mar-Elia is CTO & Founder of SDM Software, Inc. Darren has over 25 years of IT and Software experience in the Microsoft technology area, including serving as a Director in Infrastructure at Charles Schwab, CTO of Windows Management Solutions at Quest Software, and Sr. Director of Product Engineering at DesktopStandard. He has been a Microsoft MVP in Group Policy technology for the last 6 years and has written and spoken on Active Directory, Group Policy and PowerShell topics frequently over the years. He maintains the popular Group Policy resource web site at www.gpoguy.com and has been a contributing editor for Windows IT Pro Magazine since 1997. He has written and contributed to twelve books on Windows. Darren also speaks frequently at conferences on Windows infrastructure topics.

Discussion

1 Comment
0 Trackback

Frank M. Whitman April 8, 2011

How is it that a 3 year old operating system from Microsoft is still not useable? For example, I have a Windows 2000 domain migrating to 2008R2. In Group Policy I have a long list of allowed programs users can use. Windows 2008R2 Group Policy editor can see them, but if I try to add another, the one addition replaces the entire long list.

That’s Microsoft’s way of doing things. Write a buggy operating system and wait years and years to fix or not fix.

Lately, it seems they don’t care at all anymore.
(reply)