ToolTip: Policy Analyzer

Posted onAuthorAlex Verboon3 Comments

Aaron Margosis recently released Policy Analyzer, a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Here’s a brief description on how to use the tool to compare two Domain GPOs.

I created two GPOs in my test domain, both starting with the name “Foo” and then configured some settings. The Policy Analyzer can import GPO settings based on a GPO backup so as a next step we create a GPO backup. The quickest way is to do this via PowerShell.

Get-GPO -All | Where-Object {$_.DisplayName -like “Foo Corp*”} | Backup-GPO -Path C:\data

image

Now that we have a backup we copy them into the Policy Analyzer working folder, in my case that’s:

C:\Users\Admin\Documents\PolicyAnalyzer\GPOs

image

Next Open the Policy Analyzer Tool and select Add.

image

A new window opens, select File, add files from GPOs

image

Select the first folder

image

 

image

Select Import, and provide a name.

 

image

Repeat these steps for every GPO you want to compare.

 

image

Next select View / Compare.

image

Select Export / Export all data to Excel

image

and there you, all information nicely prepared and ready for review.

image

The Policy Analyzer tool and documentation is available for download here

 

By the way, Microsoft also finally  released the Security Baseline for Windows 10  “Security baseline for Windows 10 (v1511, “Threshold 2”) — FINAL”   The Windows 10 TH2 Security Baseline.zip also contains a backup of the Windows 10 baselnie GPOs, so you can import these into Policy Analzyer as well and start comparing your current GPOs with those of the Security Baseline.

Enjoy!

Related posts:

  1. Importing GPO Security Baselines with PowerShell
  2. No MBSA for Windows 8 planned
  3. Microsoft Baseline Security Analyzer with support for Windows 7 and Server 2008 R2
  4. ToolTip: GPO Deny Finder
  5. How to create a SCCM 2012 SP1 Configuration Baseline with Security Compliance Manager (SCM) 3.0

3 Replies to “ToolTip: Policy Analyzer”

  1. Great looking tool. If I were to backup GPO’s from different domains that were supposed to be the same could I then import them as if they came from the same domain and compare?

  2. I know this is probably a dumb questions, but I don’t understand how to actually import the GPO settings into the analyzer. When I click ‘add’ and then import and choose my folders, I’m then taken to the next prompt that forces me to save that file somwhere, but my main Policy Analyzer window is still blank. How do you actually get those files into the analyzer so that you can click the ‘compare’ button?

  3. @Ted – I know this is 3 years late but maybe someone will find it helpful. Once you save it you need to change the directory at the bottom in the field for Policy Rules sets In: to the folder you saved to while doing the import. Once you have that folder listed in there what ever you named your save file will show up in the table above. From there you can check it off and select View / Compare.
    Took me a hot minute to figure that out as well 😀

Leave a Reply