GPO Comparison Tool

active-directory group-policy

Does anyone know of a GPO comparison tool, preferably free (or cheap).

I need to compare settings from two GPOs to see what's missing in the target GPO.

edit: just to clarify, I need a tool which can compare the settings for me. I can do it manually, but it is cumbersome and also has the potential for me making mistakes.


Use Group Policy Management Console to save the GPO's as XML files, open them in Notepad++ and press Alt-D to compare the files.


You can use two instances of the Group Policy Management Console and go to the "settings" tab while having the GPOs to compare selected. Click the "show all" to show all the applied settings.


Use the SCM v2 GPO import function to import the GPO's as baselines. You can then use the compare tool to show settings differences. V2 is in CTP right now but seems to work just fine so far. here is the link to the blog post and download


Another alternative, (If you're just attempting to compare registry entries within the GPOs) is using Powershell. The particular way shown below worked for my environment, but may be able to be utilized/modified to work within yours

  • This way assumes you are comparing similar GPOs from two different domains, and you have a trust configured between the two domains to be able to perform the backup from within one of them.
  • This way also assumes you don't have the registry entries organized into collection items within the GPO. You'll needs to move all the registry entries into the root in order to make this work.
  • PowerShell 5.1
  1. Create backups of each GPO within the directory structures you created
$farms = 'AppFarm1','AppFarm2'

foreach ($farm in $farms) {

Backup-Gpo -Domain qa01domain -Name "$farm Settings" -Path "C:\GpoBackupsDiff\qa01\farms\$farm"
Backup-Gpo -Domain qa02domain -Name "$farm Settings" -Path "C:\GpoBackupsDiff\qa02\farms\$farm"

}
  1. This could be looped as well, but if you just want to do each gpo diff one-by-one then use the logic as-is
$farm = 'AppFarm1'

#Obtains the GUID of the qa01 backup by using the folder name (Must only have one backup in the folder)
[string]$qa01GUID = (Get-ChildItem C:\GpoBackupsDiff\qa01\farms\$farm).Name | Select-String -Pattern "{"

#Extracts the registry entries from the gpo backup into a powershell xml object
[xml]$qa01gpo = Get-Content -Path "C:\GpoBackupsDiff\qa01\farms\bridge\$qa01GUID\DomainSysvol\GPO\Machine\Preferences\Registry\registry.xml"

#Obtains an object of each registry entry
$qa01gpoCompare = $qa01gpo.RegistrySettings.Registry.Properties

#Obtains the GUID of the qa02 backup by using the folder name (Must only have one backup in the folder)
[string]$qa02GUID = (Get-ChildItem C:\GpoBackupsDiff\qa02\farms\$farm).Name | Select-String -Pattern "{"

#Extracts the registry entries from the gpo backup into a powershell xml object
[xml]$qa02gpo = Get-Content -Path "C:\GpoBackupsDiff\qa02\farms\bridge\$qa02GUID\DomainSysvol\GPO\Machine\Preferences\Registry\registry.xml"

#Obtains an object of each registry entry
$qa02gpoCompare = $qa02gpo.RegistrySettings.Registry.Properties

#Compares the registry entries against each other. Google the ms docs for Compare-Object for details on how it works if you're new to it.

Compare-Object -ReferenceObject $qa01gpoCompare -DifferenceObject $qa02gpoCompare

Related

Path of connection between two EC2 instances
Why is pfSense blocking multicast traffic when it is explicitly enabled?
Problem unmarshalling parcelables
How to get the system info with Python?
How to write text in jupyter / ipython notebook?
Error after renaming Xcode 6 project: "linker command failed with exit code 1 (use -v to see invocation)"
Configuration of iptables (verfication, actives services, allow FTP)
Efficiently getting all divisors of a given number
It is secure to upgrade the RAM of a 32-bit Server? [duplicate]
How to find the biggest directories in my hard drive?
How to print an exception in Python 3?
Trelby not installing in 16.04