Create Active Directory Group Policy Reports with PowerShell. With the help of the Get-GpoReport cmdlet, we can produce reports on Group Policies (GPO), ranging from straightforward text based ones to fully fledged Hypertext Markup Language (HTML) reports. In addition, we may automate this report generation process with PowerShell. This is to save time and gain important information about your Active Directory (AD) system. In this article, we’ll go over how to import the PowerShell GPO module, export GPOs, and link GPOs to an Organizational Unit (OU). This will be as an example, so that they will all work together to produce some top-notch reports.
Shall we start with how to Create Active Directory Policy Reports with PowerShell.
Create AD Group Policy Reports (GPO) with PowerShell
Prerequisites
In this article, we’ll go over a few various situations that involve creating and modifying existing GPOs. Make sure we already have the following in place if you want to follow along with the examples:
- The PowerShell module for Group Policy. If you’re using Windows 10, we can find this by downloading and installing RSAT, or if you’re using Windows Server, we can use the PowerShell command below:
Install-WindowsFeature -Name GPMC
- A computer member of the same AD domain from which we will query GPOs.
- An AD-joined computer with a domain user account with rights to read GPOs.
Also Read Active Directory Last Logon Report
Generating HTML Reports with Get-GpoReport
First of all, let’s imagine we have a single GPO. So, you want to view the settings from it (as well as generate an HTML report) to get things going. Fortunately, Get-GpoReport can discover a GPO on either and utilize PowerShell to export them. To do that, we will either need the name of the GPO or the GPO’s Globally Unique Identifier (GUID).
Hence, you’ll need to utilize at least three parameters to create a detailed HTML report:
- Name or Guid to locate the GPO.
- ReportType parameter to specify the kind of report to generate. We can either choose between HTML or XML (Extensible Markup Language).
- Path to specify where we would like the report saved to.
Perhaps we have a GPO in your environment. For example, we can specify the ReportType of a value HTML for an HTML report and the path where you’d like to save this HTML file if we know the name of the GPO, as we do in this example.
Get-GPOReport -Name 'Sample GPO' -ReportType 'HTML' -Path 'C:\Temp\SampleReport.html'
Alternatively, we could use the Guid parameter to find the GPO, but this is an extra step using the example below.
$gponame = (Get-GPO -Name 'Sample GPO').Id
Get-GPOReport -Guid $gponame -ReportType 'HTML' -Path 'C:\Temp\SampleReport.html'
We can view the report in your preferred browser once prepared.
Generating HTML Reports For All GPOs
Alternatively, to create a domain-wide report for GPOs. In that situation, we must use the All argument to query every GPO in the domain. However, this time, instead of using the Name or Guid option to designate a specific GPO, we are using the All switch parameter to find them all.
Get-GPOReport -All -ReportType Html -Path "C:\Temp\All-SampleReport.html"
When used in an AD environment, the Get-GPOReportcmdlet contacts a domain controller (DC) specified by the Server parameter to read GPOs. After that, the DC with the PDC Emulator role will be used by default if no server is available.
Up next with how to Create Active Directory Policy Reports with PowerShell is to generate XML Reports.
Also Read Office 365 User Reports
Generating XML Reports with Get-GpoReport
Generally, once we imported the GPO module in PowerShell, there are other things that Get-GPOReport can do. That means, other than exporting GPOs and producing HTML reports. In addition, we can also produce XML reports. For example, we would need to modify the ReportType parameter’s value from HTML to XML if we wanted to create an XML report for a specific GPO.
For example, below we query an existing GPO, Sample Report, to produce an XML report. Then, we open that report using the Invoke-Item command in the XML file’s default app:
Get-GPOReport -Name 'Sample GPO' -ReportType Xml -Path "C:\temp\SampleReport.xml"
Invoke-Item -Path "C:\Temp\SampleReport.xml"
When complete, we will see the XML file like the screenshot below.
Firstly, we notice that the GPO XML node contains everything. Inside it, we may find things like Identifier (the GPO GUID), Name (The GPO Name), Include Comments, Security Descriptor, SDDL and much more information.
Also Read Active Directory Locked Out Users Report
GPO XML Report
Other than the format, what sets this XML report apart from HTML? Basically, the attributes seen in the HTML report are also present in the XML report. But they are more structured and straightforward to parse.
- VersionDirectory – Version of the GPO stored in the AD database.
- VersionSysvol – Version of the GPO stored in SYSVOL.
- Enabled – If disabled, the GPO processing engine on the client computer will not apply the settings in the corresponding part of the policy.
Importantly, the policy version (computer or user) increases when we modify a GPO. Therefore, the Group Policy processing engine may then determine when to apply new settings and when a policy has changed. Additionally, this behaviour will allow us to launch gpupdate.exe after changing a GPO without using the joint /force switch.
Also Read Active Directory Management
Check Active Directory Group Policy Reports using InfraSOS
Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.
GMPC
We may view the GPO version (for AD and SYSVOL) and its state in the GPMC.
In addition, the client’s computer will still process a policy even while VersionDirectory and VersionSysvol have a value of 0, yet Enabled is true. The system will inform the processing engine that we don’t need to implement the relevant portion of the GPO. Changing the configuration won’t affect the performance of a quick computer on a relatively short network much. Even so, it can still save a lot of such GPOS valuable seconds, especially for older machines on slower networks.
So, the processing engine on the client machine will not apply a policy with VersionDirectory and VersionSysvol higher than 0 but Enabled set to false. We may ask why some settings do not apply. Thus it is essential to investigate whether this is an accident or on purpose.
Suppose, that we are familiar with the internal workings of the GPO. In that case, we may use the Get-GPOReport command. Therefore this is to check for these settings directly by referencing a property rather than navigating to the GPMC.
Alternatively, we may want to focus on a few settings in a GPO. Or eventually we want to attach a GPO to an OU using PowerShell, so that we won’t need to create a report.
- Remove the
Pathparameter in that situation. Take note of the[xml]cast and the absence of aPathparameter in the example below.
[xml]$GpoXml = Get-GPOReport -Name 'Sample GPO' -ReportType Xml
2. Now that we have converted Get-GPOReport's output into an XML object, we can quickly reference its many properties using a brief dot notation.
$GpoXml.GPO.Computer
$GpoXml.GPO.User
3. Add a foreach loop and use the All argument to go through each GPO output.
$AllGpos = Get-GPO -All
$GpoVersionInfo = foreach ($gpo in $gpos) {
[xml]$g = Get-GPOReport -ReportType Xml -Guid $gpo.Id
[PSCustomObject]@{
"Name" = $g.GPO.Name
"Comp-Ad" = $g.GPO.Computer.VersionDirectory
}
}
$GpoVersionInfo | Sort-Object Name | Format-Table
Also Read Active Directory Reporting Tool
Parsing XML GPO Reports
We may learn about many aspects of your GPOs using the XML output that Get-GPOReport produces. In the previous example, if we look at the $GPOXML.GPO.Computer and $GPOXML.GPO.User properties of the prior model, we will see an ExtensionData property as shown below.
As shown below, we may start creating your reports based on the XML data by accessing these XML nodes in PowerShell.
$PolicyDetails = foreach ($policy in $GpoXml.GPO.User.ExtensionData.Extension.Policy) {
[PSCustomObject]@{
"Name" = $policy.Name
"State" = $policy.State
}
}
$PolicyDetails
Thank you for reading our article blog about how to Create Active Directory Policy Reports with PowerShell. Let’s conclude.
Also Read Active Directory Locked Out Users Report
Create Active Directory Group Policy Reports with PowerShell Conclusion
Aside from the native Group Policy Management Console (GPMC), this article discussed ways to generate comprehensive reports on Group Policies by exporting them in HTML and XML formats. We also discussed the Get-GpoReport cmdlet. This cmdlet can now retrieve the same information as the GPMC via PowerShell. This allows us to query many GPOs simultaneously, which will surely help build excellent reports.
