If you’ve ever worked in group policy, you know that the Group Policy Management Console (GPMC) hasn’t changed very much since it was introduced in Windows 2000 way back in 1999. One critical feature that’s been missing since day one, is the ability to search through a Group Policies to find the settings you’re looking for.
Today we had a client ask us to go through all of their GPO’s to locate anything that was controlling their biometrics settings in Windows Hello. This is a daunting task because even the small client had a 100 GPO’s and you can’t simply look at the text name of a GPO to know what it does because the GPO name is just a text field you can type anything into.
As such our crack-a-jack scriptwriter Khalid Adulhani and myself developed the following script to search through all GPO’s to search for specific entries.
In our case we were looking for anything to do with biometrics so we searched all the GPO’s for “Biometrics”. However, you can change that search string to anything. For instance, if you are looking for a GPO with a setting related to a font you might search for the word “Font”, or If you wanted to know which group policies related to printers you might search for the word “Printer”.
# By Khalid Abulhani and Ian Matthews of www.URTech.ca - Nov 2024
# Text String to Search For
$string = "Biometrics"
# Which Domain Are You On
$DomainName = $env:USERDNSDOMAIN
# Find All GPO's in this Domain
Write-Host "Finding all the GPOs in $DomainName"
Import-Module GroupPolicy
$allGposInDomain = Get-GPO -All -Domain $DomainName
# Sort GPO's Alphabetically by DisplayName
$sortedGpos = $allGposInDomain | Sort-Object DisplayName
# Look Through Each GPO's XML for the Text String and Output a Line to the Screen For Each So You Know What is Going On
Write-Host "Starting search..."
$counter = 1
foreach ($gpo in $sortedGpos) {
$report = Get-GPOReport -Guid $gpo.Id -ReportType Xml
if ($report -match $string) {
Write-Host "********** Match found in: $counter. $($gpo.DisplayName) **********" -ForegroundColor Green
} else {
Write-Host "$counter. No match in: $($gpo.DisplayName)"
}
$counter++
}
As you can see in our search, we found the 31st GPO contained something relating to the text we searched for:
We were then able to open and edit that GPO and report to the client what settings it had.
This script not only saved us hours of time but no doubt did a better job than we would do manually. Searching Group Policies for a specific setting is tedious at best and this script will now be used frequently by our techs.
2 Comments
Dan · November 6, 2024 at 11:00 am
Thank you very much for providing this script.
Saved me a huge amount of time.
Ian Matthews · November 7, 2024 at 6:52 pm
Yes, we have been struggling to search GPO’s for years and the our man Khalid came up with most of the script. We LOVE him!
Thanks for the kind words Dan 🙂