Use PowerShell to Search Group Policy for a Specific Setting

This is a simple one-liner enabling us to use PowerShell to search Group Policy for a specific setting.

It’s always frustrating when we can’t find which policy a particular configuration is coming from. An example is trying to find a policy containing specific registry, or a logon script, or a scheduled task, or a shortcut name, or a specific configuration specified in an ADMX.

Use PowerShell to Search Group Policy for a Specific Setting

This simple example searches all group policy objects for a script called “alkane.ps1” – it could be part of a login script, startup script, scheduled task, file copy or otherwise!

$searchString = "alkane.ps1"
Get-GPO -All | Where-Object { $_ | Get-GPOReport -ReportType xml | Select-String $searchString } | select DisplayName, ID

We can search for any string of text. But we will need a local installation of RSAT and an elevated account to run it!

Find Group Policy Objects (GPO) Modified in the Last X Days

This is a simple PowerShell script that enables you to find Group Policy Objects (GPO) modified in the last X days.

Unfortunately it doesn’t tell us who modified the GPO or what specific configuration was changed, but it’s a start!

This first script will simply print out the name, modification date and description of the relevant GPOs. Sometimes organisations use the description to make notes on changes to the GPO so it might assist your investigations:

$daysSinceModification = 1
Get-GPO -All | where-object { ([datetime]::today - ($_.ModificationTime)).Days -le $daysSinceModification } | foreach {  write-host "******************`r`nDisplay Name: " $_.DisplayName "`r`nModification Date: " $_.ModificationTime "`r`nDescription: " $_.Description "`r`n******************`r`n" }


This second script will retrieve the same GPOs but this time it will export the GPO to a html file for your perusal:

$daysSinceModification = 1
$exportPath = "C:\Path"
Get-GPO -All | where-object { ([datetime]::today - ($_.ModificationTime)).Days -le $daysSinceModification } | foreach {  Get-GPOReport -Name $_.DisplayName -ReportType HTML -Path "$exportPath\$($_.DisplayName).html" }