1

We as an IT group are about to go through all of our group policies and clean up/enhance them. I am trying to compile an easy to read document on what is configured and what is not.

I wanted to ask you guys about how you go about documenting what you have set in group policy. I found a really nice spreadsheet on Microsoft that has all setting for Computer Configuration\Policies\Administrative Templates: Policy definitions\All Settings and User Configuration\Policies\Administrative Templates: Policy definitions\All Settings. I just added a column for the state of each setting.

However, I know that one of our group policies has certain Windows Services being disabled. This does not show up in the list I described above. I then noticed that nothing in the Computer Configuration\Policies\Windows Settings\* and Computer Configuration\Policies\Software Settings\* are included in this list.

Does anyone have an suggestions on how to go about documenting these settings, or does anyone know where a list is for these so I can incorporate them into my list?

3 Answers3

3

You can use RSOP.MSC or GPResult against a target machine to see how the various policies are affecting that system (and also the specified user account).

RSOP.MSC:

One challenge of Group Policy administration is to understand the cumulative effect of a number of Group Policy objects (GPOs) on any given computer or user, or how changes to Group Policy, such as reordering the precedence of GPOs or moving a computer or user to a different organizational unit (OU) in the directory, might affect the network. The Resultant Set of Policy (RSoP) snap-in offers administrators one solution. Administrators use the RSoP snap-in to see how multiple Group Policy objects affect various combinations of users and computers, or to predict the effect of Group Policy settings on the network.

GPResult:

Displays the Resultant Set of Policy (RSoP) information for a remote user and computer.

You can also use MS' Group Policy Management Console to get reports on how policies are applied and interacting with each-other.

GPMC simplifies the management of Group Policy by making it easier to understand, deploy, manage, and troubleshoot Group Policy implementations. GPMC also enables automation of Group Policy operations via scripting.

techie007
  • 1,892
  • 17
  • 24
  • Very Very good information. Thanks for the reply. However I was looking for something more along the lines of this http://www.microsoft.com/download/en/details.aspx?id=25250 but for the Windows Settings in Group Policy. –  Jan 10 '12 at 20:23
  • The Windows Settings _are_ in those documents you linked to. At least the Server 2008R2 and Windows 7 version has them ("Computer Configuration\Windows Settings" on the "Security" sheet/tab). The "Computer Configuration\Software Settings" are not included (most likely) because it is for Software Distribution and there are multiple parts/paths involved in using the Software Dist. system, so the reference doesn't cover them as there is not just a simple Registry entry associated with it to be referenced. – techie007 Jan 10 '12 at 20:46
  • Ah. Your the man. I filtered that sheet by "Windows 7, Windows Server 2008 R2" and didn't see those but if I Select All, there they are. Thank you so much :) –  Jan 10 '12 at 20:53
2

Create self-documenting group policy objects

Write your group policies so that each one does one specific thing, and give them descriptive names. If a policy requires more explanation, write it as a comment on the policy. While you are editing the policy, click on Action > Properties > Comment to edit the comment. These comments show up in the Group Policy Management console on the Details tab when you select a group policy object.

William Jackson
  • 810
  • 1
  • 6
  • 16
1

That is one way to go about it, but documenting all your GPO's that way sounds very manual and tedious. We use the GPMC scripting options to do a weekly backup & report of all GPO's. It's helped us in a few cases over the years because you have a backup, and can compare the HTML report of the GPO to see the differences. No manual work other than setting up a scheduled task to run the scripts each week.

GetReportsForAllGPOs
BackupAllGPOs
http://msdn.microsoft.com/en-us/library/windows/desktop/aa814151%28v=vs.85%29.aspx

Clayton
  • 4,483
  • 16
  • 24