How to get a list of all the configured values in a GPO

One of the challenges that one of you mentioned was the difficulty in enumerating the settings in a GPO in a convenient way. Below is a procedure to try one your Windows Server 2008 R2 domain controllers. It uses PowerShell to extract the data for you.

· Log in to the DC.

· Click Start à Windows PowerShell Modules.

· Type Get-GPOReport –Name NameOfGPO –ReportType HTML –Path Destination and file name.

Open the HTML file that was generated. The only values in the policy that are shown are the values that have been set. Also, if the name of your GPO has a space in it, enclose the name in double quotes. Below is an example of a policy that configured WSUS.

Links

Location	Enforced	Link Status	Path
None

This list only includes links in the domain of the GPO.

Security Filtering

The settings in this GPO can only apply to the following groups, users, and computers:

Name

NT AUTHORITY\Authenticated Users

Delegation

These groups and users have the specified permission for this GPO

Name	Allowed Permissions	Inherited
MCTNET\Domain Admins	Edit settings, delete, modify security	No
MCTNET\Enterprise Admins	Edit settings, delete, modify security	No
NT AUTHORITY\Authenticated Users	Read (from Security Filtering)	No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS	Read	No
NT AUTHORITY\SYSTEM	Edit settings, delete, modify security	No

Computer Configuration (Enabled)

Policies

Administrative Templates

Policy definitions (ADMX files) retrieved from the local machine.

Windows Components/Windows Update

Policy		Setting		Comment
If the status is set to Enabled, Windows will check for available updates at the specified interval. If the status is set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours. Note: The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect. Note: If the "Configure Automatic Updates" policy is disabled, this policy has no effect." gpmc_supported="At least Windows 2000 Service Pack 3 or Windows XP Professional Service Pack 1" style="cursor:pointer">Automatic Updates detection frequency		Enabled
Check for updates at the following interval (hours): 4
Policy	Setting			Comment
This setting lets you specify if automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting: 2 = Notify before downloading any updates and notify again before installing them. When Windows finds updates that apply to this computer, an icon appears in the status area with a message that updates are ready to be downloaded. Clicking the icon or message provides the option to select the specific updates to download. Windows then downloads the selected updates in the background. When the download is complete, the icon appears in the status area again, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install. 3 = (Default setting) Download the updates automatically and notify when they are ready to be installed Windows finds updates that apply to your computer and downloads these updates in the background (the user is not notified or interrupted during this process). When the download is complete, the icon appears in the status area, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install. 4 = Automatically download updates and install them on the schedule specified below Specify the schedule using the options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be everyday at 3:00 AM. If any of the updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is logged on to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.) 5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates With this option, the local administrators will be allowed to use the Automatic Updates control panel to select a configuration option of their choice. For example they can choose their own scheduled installation time. Local administrators will not be allowed to disable Automatic Updates' configuration. To use this setting, click Enabled, and then select one of the options (2, 3, 4 or 5). If you select 4, you can set a recurring schedule (if no schedule is specified, all installations will occur everyday at 3:00 AM). If the status is set to Enabled, Windows recognizes when this computer is online and uses its Internet connection to search Windows Update for updates that apply to this computer. If the status is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, go to http://windowsupdate.microsoft.com or click Start, click Programs (or click All Programs), and then click Windows Update. If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel." gpmc_supported="At least Windows 2000 Service Pack 3 or Windows XP Professional Service Pack 1" style="cursor:pointer">Configure Automatic Updates	Enabled
Configure automatic updating: 3 - Auto download and notify for install The following settings are only required and applicable if 4 is selected. Scheduled install day: 0 - Every day Scheduled install time: 06:00
Policy		Setting		Comment
If the status is set to Enabled, a scheduled installation that did not take place earlier will occur the specified number of minutes after the computer is next started. If the status is set to Disabled, a missed scheduled installation will occur with the next scheduled installation. If the status is set to Not Configured, a missed scheduled installation will occur one minute after the computer is next started. Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect." gpmc_supported="At least Windows 2000 Service Pack 3 or Windows XP Professional Service Pack 1" style="cursor:pointer">Reschedule Automatic Updates scheduled installations		Enabled
Wait after system startup (minutes): 10
Policy		Setting		Comment
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use this setting, you must set two servername values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service, instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them. If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. Note: If the "Configure Automatic Updates" policy is disabled, then this policy has no effect." gpmc_supported="At least Windows 2000 Service Pack 3 or Windows XP Professional Service Pack 1" style="cursor:pointer">Specify intranet Microsoft update service location		Enabled
Set the intranet update service for detecting updates: http://MCT1 Set the intranet statistics server: http://MCT1 (example: http://IntranetUpd01)

User Configuration (Enabled)

No settings defined.

Reference:

http://technet.microsoft.com/en-us/library/ee461057.aspx