9

I need to dump all the Group Policies within Active Directory to review offline at a later date. Is there a way I can easily export all the Group Policies to text or some other easily-parseable format?

Edit: Will these tools work from a computer that is not part of the domain? I have domain credentials, but my work laptop isn't necessarily part of the domain I need to review.

romandas
  • 3,242
  • 8
  • 37
  • 44

6 Answers6

4

Starting with Windows Server 2008 R2 or Windows 7 with RSAT installed you can use Powershell to export all your GPO settings either to HTML or to XML with Get-GPOReport.

Import-Module GroupPolicy

# Export a specific GPO
Get-GPOReport -Name MyFooGPO -ReportType Html -Path MyFooGPOReport.htm
Get-GPOReport -Name MyFooGPO -ReportType Xml -Path MyFooGPOReport.xml

# Export all GPOs
Get-GPOReport -All -ReportType Html -Path AllGPOsReport.htm
Get-GPOReport -All -ReportType Xml -Path AllGPOsReport.xml

There are many other helpful Cmdlets contained in the GroupPolicy module.

oleschri
  • 317
  • 1
  • 12
4

Unfortunately, with the modular nature of group policy extension handlers I don't believe you're going to find any tool better than Group Policy Management Console to do what you're after.

Your easiest path is going to be to either use a computer joined to the domain to run GPMC and examine / export the GPOs. Of course, if there are GPOs that have had their default permissions modified you might not have access to them w/ your credentials to audit them.

Given how easy it would be do to what you want with GPMC on a domain-member computer I'd say that you should pursue that. If you have problems, I'd approach it as a "political" / management problem and not a technical problem. GPMC is the right tool for the job, and if you're expected to do the job you need to have access to do it. The same would go with accessing GPOs that your domain credentials might not have access to.

If you absolutely can't get access to a domain-member computer running GPMC your next best (but undesirable alternative) would be to have an administrator there backup all the GPOs and give the backup to you. You could import that backup into another AD domain that you do control and audit the GPOs there. The problem with that strategy is that all SID information in the original domain will be incomprehensible to you in your own domain (and will be lost if you "map" the imported GPOs to users / groups inside your domain).

GPMC is your tool. Figure out how to make the "powers that be" allow you to use the tool and you'll get the job done quickly and efficiently.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
2

it would be easier to do by asking administrator to backup all GPOs using GPMC and give you access to that backup folder, after that you can open your GPMC instance and point it to that backup folder and read anything you want in very intuitive interface of GPMC.

Another option would be check following script which comes with GPMC. (by default C:\Program Files\GPMC\Scripts)

GetReportsForAllGPOs.wsf : Generates XML reports for ALL GPOs in given domain

GetReportsForGPO.wsf : Generates XML and HTML reports for a given GPO

KAPes
  • 994
  • 4
  • 12
1

admx.exe in the Windows Server 2003 Resource Kit will allow you to do this.

The ADM File Parser (AdmX) is a command-line tool that enables an administrator to export Group Policy settings to a tab-delimited text file. The administrator can then use the text produced by ADM File Parser (AdmX) to find changes for the policy settings between different versions of the operating systems.

GregD
  • 8,713
  • 1
  • 23
  • 35
  • Be aware that AdmX only dumps out administrative template-related data. Because of the modular architecture of group policy extensions no one tool can possibly do "everything". – Evan Anderson Jul 24 '09 at 15:53
  • You are correct, which is why I have to print out the "Settings" tab for each and every one of my GPOs in the GPMC :) – GregD Jul 24 '09 at 16:23
1

Have the GP admin open the Group Policy Management snap-in for the Microsoft Management Console.

When you select a GPO there are 4 tabs at the top: Scope Details Settings Delegation

Scope will show you who and/or what it applies to if you need to audit that.

Settings will generate an HTML formatted report of all the configured settings in the GPO which is very easy to read. Right clicking anywhere in the Settings data area will allow you to "Save Report..." in standard HTML format.

Simply have your GP admin save the Settings report for you for each policy you'd like to review :)

Garrett
  • 1,598
  • 4
  • 14
  • 25
0

Use GPMC for this (you should be using it for all of your GPO management anyway).

Maximus Minimus
  • 8,937
  • 1
  • 22
  • 36