Group Policy Analyzer from Microsoft TechNet
For those looking to manage GPO’s effectively, Policy Analyzer lets you treat a set of GPOs as a single unit thus making it easier to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. It also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
The finding of the Policy Analyzer are displayed in a table where highlighted areas in Yellow shows “Conflict”, while Grey cells indicate absent settings. The finding can also be exported to an Excel spreadsheet for further use.
Analyze, view, compare Group Policy Objects
Microsoft Policy Analyzer is a lightweight standalone application and it doesn’t require any installation. To start using the application follow the below steps. Step 1 Download “Run PolicyAnalyzer.exe” (less than 2MB) and extract the files. The extracted files contain PolicyAnalyzer.exe and two helper program files – PolicyRulesFileBuilder.exe and PolicyAnalyzer_GetLocalPolicy.exe, documentation .pdf file and sample GPO sets taken from the Microsoft security configuration baselines. Step 2 Click “PolicyAnalyzer.exe” and you will see the Main window pop up on your screen as shown below.
The list box shows the name of the directory where Policy Rule sets in. You can change the location of the directory by clicking on this box and choose you own preferred directory name. Initially, as shown above, the directory will be empty. Step 3 To add a Policy Rule set to the Policy Analyzer collection, click the Add button as shown above in the Main window. Here, I added the sample GPO sets taken from the Microsoft security configuration baselines supplied as part of the Download file earlier.
You can choose to add files using the Policy File Importer, shown in the screenshot below.
Policy Analyzer can ingest three types of GPO files: registry policy files, security templates, and audit policy backup files. Refer screenshot below,
If you add files using Add files from GPO(s, Policy Analyzer identifies GPO names from files in the GPO backup or backups. If you pick files using the other options, Policy Analyzer sets the file’s policy name to a placeholder value. Step 4
After you have added the files, use the Main window to select the files you want to compare. In the above screenshot, I selected all. Now click “View/Compare” to open the Policy Viewer
As shown above, the Policy Viewer lists all the settings configured by the policy sets and the values configured by each policy set in its own column. Here the cells are highlighted with different colors each representing a different meaning as listed below.
The cell background is yellow if any two policy sets configure the value differently.A grey background with no text indicates that the policy set in that column does not configure the setting.A white background indicates that the policy set configures the setting and that no other policy set configures that setting to a different value.A light grey background in a cell indicates that the policy set defines the same setting multiple times, typically in different GPOs.
So with the Policy Viewer windows, you can analyze, view, and compare sets of Group Policy Objects.
Additional Features
Click View > Show Details Pane (may have been already enabled)
The Details Pane resides in the lower section of the window identifies the path (or paths) in the Group Policy Object editor that can configure the selected setting, the GPO option or options associated with the selected values, the underlying data type, and any other available information. Click Export > Export Table to Excel or Export All Data to Excel
This is a useful function to import the data for your further use and analysis.
Export table to Excel exports only the data in the table view, while,Export all data to Excel exports data as shown in the Details Pane, including GPO paths, option names, and data types.
Policy Analyzer is a helpful tool to analyze and compare sets of Group Policy Objects (GPOs) in Windows. As of today, the tool is useful to find if a set of GPOs contains contradictory settings. However, it doesn’t advise you on which of them will win and maybe, that’s something that may come in later versions. Visit microsoft.com to download it.