Udostępnij za pośrednictwem


New tool: Policy Analyzer

Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies, and can highlight the differences between versions or sets of Group Policies. It can also compare GPOs against current local policy settings and against local registry settings. And you can export its findings to a Microsoft Excel spreadsheet.

Policy Analyzer lets you treat a set of GPOs as a single unit.  This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values.  It also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.

For example, the US Government Configuration Baseline (USGCB) for Windows 7 includes seven different GPOs.  Policy Analyzer can treat them as a single set, and show all the differences between them and the Microsoft recommended baselines for Windows 10 and Internet Explorer 11 with a single comparison.  You can also use it to verify changes that were made to your production GPOs.

The following screenshot shows two baselines compared with each other and to corresponding registry values on the local system. The lower pane displays the Group Policy setting, location, and other information associated with the selected row. Conflicting settings are highlighted in yellow; absent settings are shown as a grey cell. Policy Analyzer also offers options to display only rows containing conflicts or other differences.

The following screenshot shows Policy Analyzer’s Excel output. Policy Analyzer sorts results primarily by the Group Policy path and setting name columns, which are the leftmost columns.

Policy Analyzer is a lightweight standalone application that doesn’t require installation, and doesn’t require administrative rights (except for the “local policy” feature).

The downloadable attachment to this blog post contains Policy Analyzer, its full documentation and sample GPO sets taken from the Microsoft security configuration baselines.

[Updated 3 February 2016: download now includes representations of all Windows, IE, and Office GPOs published in the Security Compliance Manager.]

[Update: the latest version of Policy Analyzer is here.]

Comments

  • Anonymous
    January 23, 2016
    Thanks for your contribution!

  • Anonymous
    January 25, 2016
    Making life simpler, i love it! Good work :)

  • Anonymous
    January 25, 2016
    Is there a way to use this with a Group Policy Central Store? I've tried directly adding the GPO's from the store, and backing up gpo's and adding them from the backup and I keep getting an unhandled exception looking for different .adml or admx files. I can get past this if I go find a copy of the missing file and copy it to my local machine that is running this tool. I'm stuck looking for a copy of healthservice.adml. Is there any way to make it go forward without these .admx and .adml files it is looking for? Thanks! [Aaron Margosis] No, this version looks only in %windir%PolicyDefinitions for ADMX files and %windir%PolicyDefinitionsen-us for ADML files. And it looks like if there's an ADMX without the corresponding ADML you get an unhandled exception. That's a bug. PolicyAnalyzer should handle it more gracefully, but the workaround is to make sure that you have the corresponding ADML file in the en-us directory.

  • Anonymous
    January 25, 2016
    Aaron, are there plans for a version which scans a Group Policy central store? Microsoft says that it's best practice to use one, and many people out there are following that recommendation, myself included. [Aaron Margosis] It's on the list of potential features, but not currently at the top of the priority list, particularly since it's easy enough just to copy ADMX/ADML files to some local machine for analysis. E.g., I think covering GPP might be more valuable.

  • Anonymous
    January 27, 2016
    The comment has been removed

    • Anonymous
      July 12, 2016
      Thanks heaps. this does work. no more stupid warning messages!
  • Anonymous
    January 27, 2016
    Thanks for the tool. Attempting to export on my machine results in a error: "Unable to set the FreezePanes property of the Window Class". Any ideas? [Aaron Margosis] What version of Office/Excel are you using?

  • Anonymous
    January 28, 2016
    Perfect. Thanks for sharing.

  • Anonymous
    January 28, 2016
    Hmmm, does Policy Analyzer run on Win Server 2008 R2, too? If I click 'View/Compare' I get an exception error. If you want I can send the 'Details'. [Aaron Margosis] Yes, please send details either through the "Email blog author" link or in a comment. The main one seems to be an ADMX file in the PolicyDefinitions directory not having a matching ADML file in the EN-US subdirectory.

  • Anonymous
    January 28, 2016
    I am getting the following error. I am using Excel 2010. [Aaron Margosis] In the current implementation, every ADMX file in the %windir%PolicyDefinitions directory has to have a corresponding ADML file in the EN-US subdirectory.

    --- + --- + ---
    Informationen über das Aufrufen von JIT-Debuggen
    anstelle dieses Dialogfelds finden Sie am Ende dieser Meldung.

    ************** Ausnahmetext **************
    System.IO.FileNotFoundException: Die Datei "C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml" konnte nicht gefunden werden.
    Dateiname: 'C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml'
    bei System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
    bei System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
    bei System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
    bei System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize)
    bei System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn)
    bei System.Xml.XmlTextReaderImpl.OpenUrlDelegate(Object xmlResolver)
    bei System.Threading.CompressedStack.runTryCode(Object userData)
    bei System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
    bei System.Threading.CompressedStack.Run(CompressedStack compressedStack, ContextCallback callback, Object state)
    bei System.Xml.XmlTextReaderImpl.OpenUrl()
    bei System.Xml.XmlTextReaderImpl.Read()
    bei System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace)
    bei System.Xml.XmlDocument.Load(XmlReader reader)
    bei System.Xml.XmlDocument.Load(String filename)
    bei GPLookup.GPLookup_t.XDocAndNSMgr..ctor(String filename, String defNamespace)
    bei GPLookup.GPLookup_t.Initialize(String sLanguage)
    bei PolicyAnalyzer.PolicyViewer3.RowData_t.InitPolicyConfigAndPath()
    bei PolicyAnalyzer.PolicyViewer3.LoadData(NameAndPolicies_t[] nameAndPolicies)
    bei PolicyAnalyzer.PolicyViewer3..ctor(NameAndPolicies_t[] nameAndPolicies, GPLookup_t gpLookup)
    bei PolicyAnalyzer.PolicyAnalyzerMain2.btnCompare3_Click(Object sender, EventArgs e)
    bei System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
    bei System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
    bei System.Windows.Forms.Control.WndProc(Message& m)
    bei System.Windows.Forms.ButtonBase.WndProc(Message& m)
    bei System.Windows.Forms.Button.WndProc(Message& m)
    bei System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

    to be continued

  • Anonymous
    January 28, 2016
    Is there any chance that I can export this to a CSV or save directly to a file? I don't have Microsoft Office installed on my management machine, and it seems my only option is to directly export it to Microsoft Excel 2007 or newer. [Aaron Margosis] Not in the current version. If you copy the .PolicyRules file to another computer that has Excel and that has all the ADMX and ADML files in the PolicyDefinitions/en-us directories, and run Policy Analyzer there, you can get everything except for "Compare local registry" data. CSV output would lose the formatting that you can get with direct Excel export.

  • Anonymous
    January 28, 2016
    Justin Purdy. I'm getting the same error. 'Could not find file 'C:WindowsPolicyDefinitionsen-usHealthService.adml'.
    Using Win7 Ent 64-bit SP1. [Aaron Margosis] OK, I've heard this a few times now but haven't seen it myself. Are you seeing HealthService.adml in a different subdirectory?

  • Anonymous
    January 28, 2016
    LOVE this!!! This will save us SO much time. Thank you.

  • Anonymous
    January 29, 2016
    @echo off
    for /f %%G in ('dir /b %windir%PolicyDefinitions*.admx') do if not exist "%windir%PolicyDefinitionsen-us%%~nG.adml" echo %%G

  • Anonymous
    January 29, 2016
    The HealthService.adml file is in the en directory - not the en-us directory. [Aaron Margosis] For now, copy it into the EN-US subdirectory. If I get to make an updated version, I'll change the ADML search logic so that it can also look for an EN subdirectory, as well as look for ADML files in the PolicyDefinitions directory itself (according to Process Monitor that's what the GP editor does). I'll also make a missing ADML file a warning for that particular ADMX rather than stop processing.

  • Anonymous
    January 29, 2016
    Aaron this is a fantastic utility. Thank you for your work.

  • Anonymous
    January 29, 2016
    Thanks for this. Very useful. Also useful is the way you have responded to the questions about your tool. Well done!

  • Anonymous
    January 30, 2016
    Hello, thanks very much! Is there a way to automate the import proces? Like building a CSV or XML file with list of policies and their names and only select them and compare?
    Regards. [Aaron Margosis] Well, kind of! It's not intended to be used this way, is unsupported, and some future update might change the implementation, but the PolicyRulesFileBuilder.exe is the helper process that is passed the files to process and the target .PolicyRules file to build. PolicyRulesFileBuilder.exe takes two parameters: the path to an existing tab-delimited-text file, and the path to the target file. The tab-delimited CSV contains one row for each file to process. Each row contains three columns in this order: policy type (Computer, User, Sec Template, or Audit Policy - taken from the Policy Type column of the Importer dialog); policy name (taken from the first column of the Importer dialog); and the full path to the file to parse, without quotes. Example: PolicyRulesFileBuilder.exe .test.csv .test.PolicyRules Good luck!

  • Anonymous
    February 02, 2016
    A bit of a wishfull thinking, it would be cool if you could incorporate GPP as well, i'm not sure how or in what way that would fly but it would be a needed addition :) Thanks for the efforts with this tool, it's really great!

  • Anonymous
    February 04, 2016
    Glad to see this, Aaron. Thanks for helping fill the gap of SCM being deprecated. Glad to have something like this to which I can direct my customer's. Nice to have the USGCB, STIG, etc. stuff readily available like that for comparison.

  • Anonymous
    February 09, 2016
    Thank you for this tool. But I cannot run it on a Windows 7-64bit (GERMAN). The error message is: "System.IO.FileNotFoundException: Die Datei "C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml" konnte nicht gefunden werden.
    Dateiname: 'C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml'

    What can i do? [Aaron Margosis] Email me through the Email Blog Author link on this blog. I'll try to work with you on a version that supports internationalization. Thanks.

  • Anonymous
    February 15, 2016
    Hello Aaron, thanks for your tool. Is there any way to use your tool with powershell commands? because i'm looking for a way to automate the "policy file importer" and the rules comparaison by using powershell. Thanks in advance for your answer [Aaron Margosis] See Patrik's comment from Jan 30 2016 and my response there.

  • Anonymous
    February 23, 2016
    First off ... Great Utility!

    Would you entertain the idea of keeping the [Registry Values] section of the Security Templates separate from the HKLM Policy Type? The utility does not identify if the setting is contained in the registry.pol or the GptTmpl.inf file.

    Thanks again. [Aaron Margosis] Policy Analyzer canonicalizes data so that if you have something set in [Registry Values] that hits the same location as something in a registry.pol, it can report the duplication or conflict. To see the source of a setting, enable "Show GPO names and files in Details pane" in the Options dropdown.

  • Anonymous
    March 01, 2016
    Seems you're getting a lot of problems with people on non-US versions of Windows. Surely the solution is to pick the ADML search path based on the current culture's shortcode? [Aaron Margosis] Yes, something like that, but I'd need to test before publishing. I don't have any non-English installs to test on.

  • Anonymous
    March 01, 2016
    When I export to Excel, I don't see the GPO source names, as in the GUI? Am I missing where they are exported to, or is this not exported to Excel at all? [Aaron Margosis] No, you're correct. Current version doesn't have it in there. Do you think it's important to add, maybe as a third export option?

    • Anonymous
      December 14, 2016
      Quickly chiming in-- adding the GPO source names would be very helpful to me, personally. Thanks for all your work![Aaron Margosis] See whether the v3.1 pre-release helps.
  • Anonymous
    March 02, 2016
    Thanks for the response Aaron. I think it would be valuable to add, so that analysis can continue within the Excel output, rather than having to jump back to the tool & cross-reference the 2nd window pane where that information is available. For example, I am comparing three group policies with some similar, overlapping settings. It is nice when I see the different values for these settings to know which GPO they are coming from solely within Excel. Thanks for the great tool!

    Also, when I select "Show Differences" - it just shows Conflicts - which, I suppose could be defined as "Differences" as well. I was expecting "Show Differences" to filter out the similarities between the GPOs, and show me only the settings (& values) that are different between them? So if two GPOs set the screen saver to enabled, and only one set the hard drive to turn off after 30 minutes, I'd expect "Show Differences" to show that the hard drive setting, as well as any conflicts? Hopefully that makes sense. [Aaron Margosis] That's how it should work. If you have two or more GPO sets selected, and there's a GPO in one set that configures one of the "Turn Off the hard disk" settings, and none of the GPOs in the other set configure that setting, it should remain in the display when you select "Show Differences." I'd suggest unselecting the "Show Differences" and "Show Conflicts" settings, and searching for "Turn Off the hard disk". (Oh - and make sure you've actually got multiple GPO sets, and not just one GPO set that combines multiple GPOs.)

  • Anonymous
    March 03, 2016
    Oooooh. I see. I added all my GPO's within a single set, and was expecting comparison if differences in that single set. I'll try out what you've outlined. Thanks!

  • Anonymous
    March 04, 2016

    I'm having this problem too: System.IO.FileNotFoundException: Não foi possível localizar o arquivo 'C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml'.
    Nome do arquivo: 'C:WindowsPolicyDefinitionsen-usActiveXInstallService.adml'
    The file can't be found because I'm using Windows 10 Pro in portuguese.. The files are under C:WindowsPolicyDefinitions folder... [Aaron Margosis] Yes - my apologies. Known issue. Current version works only for en-us. I hope to fix that in a future version.

  • Anonymous
    March 14, 2016
    Hello - quick question: I have to review approximately 80 GPO's. When filtering for conflicts, does this necessarily mean that there is an issue? or does this indicate GPO's with matching settings? I am trying to improve log on times.

    Thanks in advance! [Aaron Margosis] No, not necessarily. It just indicates that among the GPOs there are settings that are different. If each machine has to process 80 GPOs, that might be an issue, though.

  • Anonymous
    March 22, 2016
    Hello,

    Thank you for offering a tool like this!!
    Unfortunately I am having some issues to properly view and compare GPO settings.
    We are using a GPO to configure IE settings (for IE prior version 10)…basically settings for the different zones in IE (local, trusted, …) currently these settings are (still) configured under the “Internet Explorer Maintenance” section within the GPO. I did a backup of this GPO and imported it into Policy Analyzer and then clicked the View/Compare button. Unfortunately it just was showing me a subset of the settings which are actually configured in the GPO.
    Anything I need to do differently to properly show IE relevant settings within a GPO via Policy Analyzer?

    Thanks
    Markus [Aaron Margosis] Unfortunately, Policy Analyzer doesn't have a parser for settings configured in "Internet Explorer Maintenance."

  • Anonymous
    May 05, 2016
    Crashes under Windows 10. Tried AD and local.[Aaron Margosis] When you open gpedit, do you also get error messages? They released mismatched ADMX/ADML files and haven't fixed them yet. :( Next version of Policy Analyzer will be more resilient in the face of those.(Sorry for the delay in responding — when they changed the blog platform I stopped getting notifications about pending comments.)

  • Anonymous
    July 01, 2016
    Does this tool have a parser for settings configured under Computer Configuration/Policies/Windows Settings/Security Settings/Wireless Network (802.11) Policies? I am asking because we have some GPÓs in place which are being used to configure WiFi settings for clients and I wanted to compare these GPOs using this tool. Unfortunately the tool is not showing me the settigns which are actually configured in those GPOs....for other GPO settings it is working properly. Thanks Markus

    • Anonymous
      July 08, 2016
      I'll have to look into where those policies get saved. If they get saved in Registry.pol, then Policy Analyzer will see them, although it won't show their path in the UI.
      • Anonymous
        July 14, 2016
        Have you had a chance to check where those policies get saved?Thanks![Aaron Margosis] Yes, I just found out. They are stored in Active Directory:CN=PolicyName,CN=IEEE80211,CN=Windows,CN=Microsoft,CN=Machine,CN={guid},CN=Policies,CN=System,DC=contoso,DC=test...which explains why it's in AD GP but not in local GP. I don't plan to add locations such as this to Policy Analyzer.
  • Anonymous
    July 27, 2016
    The comment has been removed

    • Anonymous
      August 05, 2016
      I had the same issue, just different reported location. In my case, it turned out to be a single/certain GPO backup that was causing the issue. I was importing 100+ GPOs to it took me a bit to narrow it down to which one, but I did. What helped me determine this, was the fact that I was able to import 1 GPO, but not all.
  • Anonymous
    July 27, 2016
    I get following error when I click on the View/Compare button:=========================================Informationen über das Aufrufen von JIT-Debuggenanstelle dieses Dialogfelds finden Sie am Ende dieser Meldung.************** Ausnahmetext **************System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt. bei GPLookup.GPLookup_t.Initialize(String sLanguage) bei GPLookup.GPLookup_t.GPLookup() bei PolicyAnalyzer.PolicyViewer3.RowData_t.InitPolicyConfigAndPath() [... rest of the posted error information deleted to save space ...][Aaron Margosis] I'm working on an update that handles non-US-English systems better, and fixes some other bugs. I apologize for the inconvenience.

    • Anonymous
      February 14, 2018
      Hello Aaron,I get following error when selecting "Local policy":=================================Unexpected Format in Audit CSV file:Computername,Richtlinienziel,Unterkategorie-GUID,Aufnahmeeinstellung,Ausschlusseinstellung,EinstellungswertFile: C:\Users\Username\Appdata\Local\tmp2089.tmpGPO: Local policy=================================Do you what could cause the problem?[Aaron Margosis] It's a dumb localization bug that I need to fix. Replace "Unterkategorie-GUID" in the audit.csv with "Subcategory GUID" and it should work. My sincere apologies for the inconvenience.
      • Anonymous
        February 15, 2018
        Ok, could you tell me where to find that Audit.csv file?And I have another problem. When I go to "GPO filter..." I can't see my GPOs. There is just one for all without a name.[Aaron Margosis] First question: try "gci -Recurse -Include audit.csv" (PowerShell) or "dir /s audit.csv" (Cmd.exe). It's usually buried in "...\Machine\microsoft\windows nt\audit".Second question: Policy Analyzer gets the GPO name from Backup.xml or bkupInfo.xml (I don't remember which) in the root directory of each GPO. If those files aren't present or don't have name information in them, Policy Analyzer can't assign a name.
  • Anonymous
    September 12, 2016
    Do you have the sample for Office 2016 ( 365)[Aaron Margosis] We haven't published a baseline for Office 2016/365

  • Anonymous
    September 21, 2016
    Q: Is there any plans to, somehow, include preferences in this tool?I think it's the only thing i can think of that's missing in this, otherwise amazing, tool ;)[Aaron Margosis] Haven't tackled that yet.

  • Anonymous
    September 21, 2016
    Does this only work with admx policies? I backed up policies that use adm files and policy analyser sees all of them as the same.[Aaron Margosis] Yes, Policy Analyzer reads only ADMX/ADML files to tie GP settings back to display names.

  • Anonymous
    October 10, 2016
    When running a compare on some entries it will add \0 to the end for the option. For instance RemoveSigned\0. But, when I check the GPO option setting in the registry there is not a \0 and the option is set correct, any ideas on what might cause this?[Aaron Margosis] That happens with REG_MULTI_SZ values today. I'll post a preview version of the next version shortly. It resolves that issue and several others.

  • Anonymous
    December 02, 2016
    Full support for 2016 in current version?[Aaron Margosis] Yes.

  • Anonymous
    December 06, 2016
    Does Policy Analyzer allow you to compare two GPO backups and show differences in a command environment (non-GUI), so i can script it and return a return code to tell our build process if our security settings match what we expect them to?[Aaron Margosis] No, it's GUI-only.

  • Anonymous
    December 14, 2016
    I had a question about importing policies. I've been importing the .ini and registry.pol files separately for each policy, so they essentially display as 2 different policies, but I noticed for the Windows 10 baseline provided everything displays as one big policy, how do I get my policy to import and display like that instead as separately?[Aaron Margosis] It'll probably work better for you if you "Add files from GPO(s)" instead of adding files individually.

    • Anonymous
      December 19, 2016
      Thanks for your response, where and what file type am I grabbing when I add files from GPO's? Whenever I do that there's nothing for me to grab.[Aaron Margosis] With "Add files from GPO(s)," you select the root directory (folder) containing the GPO backups you want to analyze. It searches the root's subdirectories for Registry.pol, GptTmpl.inf, and Audit.csv files. It also looks for XML files that contain GPO names to associate with the files.
  • Anonymous
    January 09, 2017
    Excellent! Is there any way to create the .PolicyRules files from Group Policy modelling or Group Policy results (preferably from the AD Group Policy MMC)?[Aaron Margosis] No, not at this time.

  • Anonymous
    February 05, 2017
    Thanks. But not all policys added to compare. I have 360 policys, and added only 250 policys.[Aaron Margosis] Can you add some context or details?

  • Anonymous
    February 21, 2017
    Excellent Tool. I was wondering if it is still in pre-release, or if it is published as a final version to download (maybe with some more improvements). Thanks!![Aaron Margosis] Updated version available here: https://www.microsoft.com/en-us/download/details.aspx?id=55319

  • Anonymous
    March 26, 2017
    The comment has been removed

  • Anonymous
    April 25, 2017
    What does [[[delete]] mean when shown against a policy? Is this a duplicate that needs deleting, is it deprecated and need deleting, etc...?[Aaron Margosis] It means that there is a command encoded into the registry.pol file to delete the specified registry value as part of policy processing. Registry.pol follows a documented binary file format that simply encodes a series of registry commands. More info here.

    • Anonymous
      May 02, 2017
      I see... thanks
  • Anonymous
    May 04, 2017
    Why can I backup up this specific security policy (shown below), but cannot apply it?i.e. security settings\local policies\user right assignment\log on as a batch jobe.g. lgpo.exe /b c:\mybackup lgpo.exe /g c:\mybackup[Aaron Margosis] Because of numerous limitations (bugs) in secedit.exe, which LGPO.exe uses to export security configuration settings. IIRC, it won't export a user rights assignment that is empty. :( The bug has been reported.

    • Anonymous
      May 04, 2017
      Ah OK, no problem. Thanks
  • Anonymous
    May 16, 2017
    Q: In the Policy Viewer window what does "[[[delete]]]" and "[[[create key]]]" mean? See sample below:HKCU Software\Policies\Microsoft\Office\Common\security uficontrols 4 [[[delete]]]HKCU software\policies\microsoft\office\common\smart tag neverloadmanifests 1HKCU Software\Policies\Microsoft\SystemCertificates\Trust\Certificates [[[create key]]] HKCU Software\Policies\Microsoft\SystemCertificates\Trust\CRLs [[[create key]]] HKCU Software\Policies\Microsoft\SystemCertificates\Trust\CTLs [[[create key]]] HKCU Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates [[[create key]]] HKCU Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs [[[create key]]] HKCU Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs [[[create key]]] HKCU Software\Policies\Microsoft\Windows Mail DisableCommunities 1 1[Aaron Margosis] The registry.pol file format is a series of registry commands that can include "create a key," "delete a value," etc. The entries you see represent such commands in the analyzed registry.pol files.

  • Anonymous
    June 20, 2017
    Thank you.I hope the documents of Policy Analyzer in Japanese for share with our customers/partners/friends.Regards,Yoshihiro Kawabata

  • Anonymous
    July 05, 2017
    This looks useful, but the download site seems to be broken at the moment (I just get "You have not selected any file(s) to download" - there is a list of filenames on the left, but no way to select anything, whether I use Chrome, Edge or IE). Any chance of an alternative/working link please Aaron?[Aaron Margosis] Looks like it's working now. Is it still failing for you?

  • Anonymous
    July 07, 2017
    Amazing tool. The parts I've already figured out work nicely. Is it possible to convert or import the SCM baseline CAB files (2008 and IE in particular to use as PolicyANalyzer policy sets?Thanks very much.[Aaron Margosis] Export the GPOs from SCM, then import them into Policy Analyzer. Or just use the .PolicyRules files that come in the Policy Analyzer zip file -- that's how they were created.

  • Anonymous
    August 02, 2017
    The comment has been removed

    • Anonymous
      August 02, 2017
      And.. nevermind, it looks like it was a broken ADMX! Thanks![Aaron Margosis] This sounds like a Policy Analyzer bug that was fixed a long time ago. Make sure you pick up the latest version of Policy Analyzer:https://www.microsoft.com/en-us/download/details.aspx?id=55319
      • Anonymous
        October 03, 2017
        Hi Aaron, I'm getting the same error (System.NullReferenceException: Object reference not set to an instance of an object.) with the latest downloaded PolizyAnalyzer (v3.2.1705.29001). Any clues how to find the broken ADMX file, or otherwise debug?Thanks,David.[Aaron Margosis] Try running Sysinternals Process Monitor (Procmon) and see which ADMX/ADML files it has processed when it hits that error.
  • Anonymous
    September 15, 2017
    I backed up all the GPO's and for some reason when I import the GPO's I don't see all of them . So I manually backed up missing one via backup-gpo and save in same location. Imported again and compare still I don't see missing ones[Aaron Margosis] Policy Analyzer captures only the content that lands in registry.pol (administrative templates, firewall settings, AppLocker, and a few other things), security templates, and advanced auditing setting. If you have policies that include Group Policy Preferences, startup/logon/logoff/shutdown scripts, and other such artifacts, Policy Analyzer doesn't captures those.

  • Anonymous
    October 13, 2017
    I have pulled my GPO backups in and the only data is from the registry. I don't get the policy path. Without the policy path, the registry key information is not helpful. I have also tried to find the supposed difference reported by this tool in the actual HTML format of the GPO and it isn't there. Any ideas what I may be missing?[Aaron Margosis] Make sure to point Policy Analyzer to the correct ADMX repository.

  • Anonymous
    November 13, 2017
    Hi Aaron, great tool!Do you know if the PolicyRules for MSFT-Win10-v1703-RS2 and MSFT-Win10-v1709-RS3 will be available as SamplePolicyRules?Also is there any way to create a .policyrules from the group policies results (ex: Windows 10 Version 1703 Security Baseline\Windows 10 RS2 Security Baseline\GP Reports)?thank you.[Aaron Margosis] We haven't re-released Policy Analyzer with content representing those baselines, but it's easy to create them when you have downloaded the new baselines. Just point Policy Analyzer at the GPOs directory and build a rule set from it.

    • Anonymous
      November 29, 2017
      Hi Aaron,What are the meaning of different numbers for Options, I mean how to understand the value provided in option field during comparison[Aaron Margosis] Settings are shown in two ways: the actual registry data that gets written (e.g., DWORD 2) and the human-language option associated with that value (e.g., "Highest protection").
  • Anonymous
    March 01, 2018
    Is there any alternative that MS do instead of this tool that hasn't been retired? Without support for Group Policy Preferences or the ability to map back Registry settings to actual GPO settings in the description then there's not a lot you can actually do with this tool. How on earth are you supposed to get a GPO setting from "HKCU Software\Policies\Microsoft\Windows\Personalization ThemeFile" I know its a User setting but there are quite a few to choose from so without being told the path this tool is pointless.[Aaron Margosis] Policy Analyzer does map registry values back to GPO paths and names, both in the Details Pane and in "Export all data to Excel." It can also show the Explain text for the setting. If the mapping isn't taking place then you must not be pointing to the correct ADMX files. See the documentation for more about that. (Oh, and the registry path you mentioned maps to User Configuration\Control Panel\Personalization, Load a specific theme.)Support for Group Policy Preferences is something we'd like to add. That said, the retired Security Compliance Manager didn't support GPPs either.

  • Anonymous
    November 10, 2018
    Um, this is probably great and all, but how does one use it to compare the policies that have been applied to two windows servers for differences?

  • Anonymous
    November 11, 2018
    Hi Aaron,I'm having some problems importing a user group policy from a backup. I can use that same backup to import settings into a new group policy, even backing up the new policy doesn't allow me to import it into the Policy Analyzer. Do you have any recommendations?I'm using version 3.2.18Paul[Aaron Margosis] What kinds of problems are you having? Note that Policy Analyzer looks only for certain files, and that those don't include Group Policy Preferences. If you have a GPO made up only of GPP settings, it won't get included.

  • Anonymous
    January 17, 2019
    Hello, is there any way to create my own policy settings? Or do I have to use all the settings created by Microsoft? For example: I have a software that needs a few security and system settings to work best. Security settings such as: only chosen usb devices can connect or system settings such as: a resolution of full HD or deactivated games. By creating my own policy settings I could check with the policy analyzer, if all the settings are done correct or if i have to change settings. And I could view differences very easy. Thank you in advance.[Aaron Margosis] Yes, you can use these tools with your own GPO settings.

  • Anonymous
    February 12, 2019
    I imported a GPO with the loopback Merged setting enabled and the tool completely fails to list any of the Folder Redirection policy under the "User" section of the GPO.[Aaron Margosis] Folder Redirection settings aren't stored in any of the file types that Policy Analyzer works with. Policy Analyzer processes registry policy files (e.g., registry.pol), advanced auditing CSV files (e.g., audit.csv), and security template files (e.g., GptTmpl.inf).

    • Anonymous
      February 13, 2019
      So the Group Policy Analyzer can't analyse group policy? I need to double check but it looks like its also missing other merged loop back settings such as OutLook Cached mode. So is there a tool that can be used to analyse GPO's in their entirety so all GPO settings can be gathered and matched?
  • Anonymous
    March 04, 2019
    Not sure if this has been asked or suggested but it would be nice to be able to see where user and computer configuration policies conflict with each other. For example, if I look at IE security settings in one policy where the admin set those policies in the user configuration, and compare that to a policy where IE security is set in the computer configuration, it would be nice to see the conflicts.

  • Anonymous
    March 12, 2019
    I need to compare group policies applied on 2 systems (Windows 7 & 10) to find where is the mismatch. I have executed the 'Group Policy Result' on both systems and exported he data XML format later renamed with *.PolicyRules extension,However I am not able to view policy settings in Policy Viewer pane.I am new to this tool and don't know where I am going wrong. Please guide.[Aaron Margosis] Policy Analyzer can't ingest GPO reports or gpresult reports. It ingests GPO backups.

  • Anonymous
    March 22, 2019
    Is there a way to import XML reports from GPO to look for differences between the two report or do you need to first import the XML reports into something like excel and then convert them into csv files to import into Policy Analyzer?[Aaron Margosis] Policy Analyzer can't ingest GPO reports or gpresult reports. It ingests GPO backups.

  • Anonymous
    May 22, 2019
    Thanks sir for the information , Just now I downloaded latest tool from added link .

  • Anonymous
    June 19, 2019
    The comment has been removed