Udostępnij za pośrednictwem


PowerShell: Retrieve Group Policy details for Remote Computer

 

There are multiple scenarios as a part of AD management where we need to retrieve Group Policy information for managed computers. There are generally two methods to get the information.

Method 1:

Most common method is to use gpresult.exe command which is detailed in this technet article. This works well only if that User executing the command has logged-in once at-least in the target computer. Else it throws below error.

The user does not have RSOP Data

Method 2:

Method 2 is to use Get-GPResultantSetOfPolicy PowerShell command-let which is detailed here. This command also works similar to Method 1 and requires User to login at-least once.

Using Method 1 and Method 2, even if we want the group policy information only for the computer irrespective of user, it is not possible without the user logged in at-least once as the command retrieves resulting set of policies that are enforced for specified user on the target computer.

 

Solution:

To overcome these issues, using Group Policy Management COM Object which is the base for gpresult.exe and Get-ResultantSetOfPolicy PS command-let serves better. We can use the COM object in VB or PS scripting. Here we will discuss about using it in PS Scripting.

#Initialize Variables

$OutputFile = “C:\Temp\GPOExport.html”

$ComputerName = “test.contoso.com”

$UserName = “john”

The first thing we do is create an instance of the GPMgmt.GPM object. We can use this object if the Group Policy Management Console is installed in the computer.

$gpm = New-Object -ComObject GPMgmt.GPM

Next step is to obtain all constants and save it in a variable.

$constants = $gpm.GetConstants()

Now create reference RSOP object using required constants.

$gpmRSOP = $GPM.GetRSOP($Constants.RSOPModeLogging,$null,0)

Next step is to specify Target Computer and User.

$gpmRSOP.LoggingComputer = $ComputerName

$gpmRSOP.LoggingUser = $UserName

Note: If we need the RSOP data for only Computer without considering User imposed Group Policy data, we need to use “RsopLoggingNoUser” constant value instead of $gpmRSOP.LoggingUser.

$gpmRSOP.LoggingFlags = $Constants.RsopLoggingNoUser

Next step is to query the target computer for RSOP GPO data.

$gpmRSOP.CreateQueryResults()

To export data to a output file below command is used.

HTML:

$gpmRSOP.GenerateReportToFile($constants.ReportHTML,$outputfile)

XML:

$gpmRSOP.GenerateReportToFile($constants.ReportXML,$outputfile)

Thus using GPMgmt.GPM COM object, we can obtain Resulting Set of Group Policies for Target Computer with or without considering the User and also without requirement of user logging at-least once.

 

Happy Scripting :-)

Comments

  • Anonymous
    September 23, 2015
    Nice! I haven't tried this yet but will give it a shot in my lab.
    Thanks for the post.
  • Anonymous
    September 23, 2015
    thanks
    very cool
  • Anonymous
    December 14, 2016
    Cool stuff! I was asked for a report of GPOs for all the computers of our domain (more than 2.000. Yes, I know...), so I modified the script to get all the computers, and loop through them with a foreach.The only problem is (I think) it's creating too many RPC connections, and at some point, after some more than 200 reports, it's not able to create any report else. Even my RDP session to the server executing the task gets closed! I'm trying to find a way to close the connections. Will report back. But any help will be appreciated!
    • Anonymous
      December 14, 2016
      Ok, I've partially solved it: there's a method for the RSOP object called ReleaseQueryResults that is helping. Still, at some point my RDP session was disconnected, and I haven't succeed in connecting again. I've connected to the server via console (it's a VM), and the script is still running, although from time to time creating the XML file fails...Forget that: while I was writing this, my session has been terminated on the console, and I was able to connect via RDP again, to find my session was, yeah, terminated.