Wouldn't it be great if you could just export all of your GPOs into a nice simple report rather than clicking through each individual policy within the management console? Well, there is a way! Read on for instructions on how to create this report.
Install Latest Version of PowerShell
If the system has winget, it's as simple as dropping to a command line and typing in:
winget install Microsoft.PowerShell
If the system does not have winget, you can download the latest version from here.
Install RSAT - Remote Server Administration Tools
RSAT is already included with Windows 10 1809 and greater as an optional feature. Instatllation instructions below:
For this particular exercise we need the following two components:
- RSAT: Active Directory Domain Services and Lightweight Directory Services Tools
- RSAT: Group Policy Management Tools
Connecting from a non-domain joined computer
If you are accessing the system from a domain joined computer as a Domain Admin, then feel free to skip this step. We need to be able to connect to launch a PowerShell window as a domain admin.
-
Execute the following command from a regular terminal window:
runas /user:domain\username 'C:\Program Files\PowerShell\7\pwsh.exe' -
Type in the password.
-
A new Powershell window should now open. Commands executed here will be using the domain context.
Create a Working Directory to Store Files
Create the following folders:
c:\work
c:\work\gpo_backup
Backup All GPOs
Execute the following command:
Backup-GPO -All -Path c:\work\gpo_backup
It would be a good idea to actually set this up on a weekly scheduled task and back up all of the GPO policies.
Create a GPO Report
Execute the following command:
Get-GPOReport -All -Domain "yourdomain.com" -Server "dc.yourdomain.com" -ReportType HTML -Path "c:\work\GPOreport.html"
Audit the GPOs
Now the fun part remains. Review the full HTML GPO report and start combing through each configuration and noting anything that needs further review.