Policy Analyzer v3.1 PRE-RELEASE

  • Article

Lots of updates to Policy Analyzer in this unsigned, pre-release preview build -- please post comments here to let me know how well it addresses your needs and what else it could add.

[Update: the latest version of Policy Analyzer is here.]

Please see the description of the original Policy Analyzer here for context.

Partial list of improvements:

  • Uses localized text correctly in most instances instead of US English.
  • Option to specify different directory for Policy Definition (ADMX) files.
  • Option to display explanation text with settings.
  • PowerShell scripts to split or merge Policy Rules files.
  • Better mapping to policy paths.
  • Option to show GPO names without GPO file paths.
  • Added support for REG_QWORD values.
  • Cleaner, less-noisy output.

Comments

  • Anonymous
    October 23, 2016
    Hi Aaron,First of all thanks a lot for this tool, is helping us a lot in GPO documentation and identifying discrepancies in a huge Enterprise environment.In our environment due to some business needs, great part of our configuration is done through Group Policy Preferences. I wonder if you have any plan to extend the Policy Analyzer capability to parse the Preferences xml files.Do you have any plan in this area?thanks a lotJaime Portero[Aaron Margosis] Looking into it.
  • Anonymous
    October 31, 2016
    Agree with [Jaime Portero October 24, 2016 at 7:30 am.]A lot of things I see online keep pushing us to use preferences. But most of the tools for troubleshooting Group Policy don't support preferences. E.g. rsop.msc you can't see preferences. Very frustrating.
  • Anonymous
    November 11, 2016
    Hi Aaron, also thanks a lot for this tool!Got an error when checking local policy setting. Privilege Use/Non Sensitive Privilege Use and some other local audit policy settings are null, some local audit policy setting are filled.---------------------------Policy Rules File Builder---------------------------Unexpected format in Audit CSV file:COMP,System,Èñïîëüçîâàíèå ïðàâ, Г­ГҐ çàòðàãèâàþùåå êîíôèäåíöèàëüíûå äàííûå,{0CCE9229-69AE-11D9-BED3-505054503030},ГЌГҐГІ àóäèòà,,0File: C:\Users\kukaloia\AppData\Local\Temp\tmpDCD3.tmpGPO: Local policy---------------------------ОК ---------------------------
    • Anonymous
      November 11, 2016
      As I see, problem lines in C:\Users\kukaloia\AppData\Local\Temp\tmpDCD3.tmp looks like this (Russian):WCS01-SIB-11,System,Использование прав, не затрагивающее конфиденциальные данные,{0CCE9229-69AE-11D9-BED3-505054503030},Нет аудита,,0WCS01-SIB-11,System,Другие события использования прав,{0CCE922A-69AE-11D9-BED3-505054503030},Нет аудита,,0
      • Anonymous
        November 11, 2016
        I think, it's a comma parsing error, in English this audit parametr is callingNon Sensitive Privilege UseBut in Russain:Использование прав, не затрагивающее конфиденциальные данные
  • Anonymous
    November 11, 2016
    Hi Aaron, also thanks a lot for this tool!Got an error when checking local policy setting. Privilege Use/Non Sensitive Privilege Use and some other local audit policy settings are null, some local audit policy setting are filled.Policy Rules File BuilderUnexpected format in Audit CSV file:COMP,System,Èñïîëüçîâà íèå ïðà â, Г­ГҐ çà òðà ãèâà þùåå êîíôèäåíöèà ëüíûå äà ííûå,{0CCE9229-69AE-11D9-BED3-505054503030},ГЌГҐГІ à óäèòà ,,0File: C:\Users\kukaloia\AppData\Local\Temp\tmpDCD3.tmpGPO: Local policyAs I see, problem lines in C:\Users\kukaloia\AppData\Local\Temp\tmpDCD3.tmp looks like this (Russian):WCS01-SIB-11,System,Использование прав, не затрагивающее конфиденциальные данные,{0CCE9229-69AE-11D9-BED3-505054503030},Нет аудита,,0I think, it’s a comma parsing error, in English this audit parametr is callingNon Sensitive Privilege UseBut in Russain:Использование прав, не затрагивающее конфиденциальные данные[Aaron Margosis] Interesting. I'll look into that. I'll follow up offline to your email address about getting a copy of that audit.csv, too. Thanks.
  • Anonymous
    November 18, 2016
    Hi Aaron,great piece of software.Would it be possible to include support for exporting the GPO comments in the next version.As well as other readers I really would like to see support for the "Preferences" section. It would allow easier documentation of policies and would make it unnecessary to document those separately.[Aaron Margosis] Thanks! I'll look into capturing the comments - no one has ever asked for that before. Definitely looking into GPP.
    • Anonymous
      November 23, 2016
      +1 Exporting Comments! We like GPOs to be self documented + use comments on unconfigured policies to point to the policy where it is configured.
  • Anonymous
    December 01, 2016
    Is there a central site/page for this tool so I don't have to rely on a search finding the latest version (I don't even know if 3.1 is still the latest version)?[Aaron Margosis] Not yet - we're looking into delivering it from the Download Center and linking to it from the Security Guidance landing page.
  • Anonymous
    December 19, 2016
    Hi, Not sure if I am doing something wrong but I was hoping to point the tool at a backup of the GPOs and for it to create a separate Policy Set for each GPO, i.e. column per GPO in the comparison. Can this be done and am I just doing something wrong or do I have to add each GPO individually? We have lots to compare the settings/document so would like to see what each policy has set and then export to Excel.Its still a very useful tool and I can see me using it just to get a view of conflicting settings. Thanks[Aaron Margosis] "Add files from GPO(s)" pulls everything it finds into one set. If you have a lot of GPOs, importing them one by one might take a while. Take a look at the Split-PolicyRules.ps1 PowerShell script in the .zip file. Given a .PolicyRules file that combines multiple GPOs, the script creates a separate .PolicyRules file for each GPO. Example using the v1607/Server2016 baseline we recently published:     Split-PolicyRules.ps1 .\MSFT-Win10-RS1-Srv2016.PolicyRules .\MSFT-Win10-RS1-Srv2016Produces these files:     MSFT-Win10-RS1-Srv2016-SCM Internet Explorer 11 - User.PolicyRules     MSFT-Win10-RS1-Srv2016-SCM Windows Server 2016 - Domain Controller Baseline.PolicyRules     MSFT-Win10-RS1-Srv2016-SCM Windows 10 and Server 2016 - Credential Guard.PolicyRules     MSFT-Win10-RS1-Srv2016-SCM Windows 10 RS1 - User.PolicyRules     MSFT-Win10-RS1-Srv2016-SCM Windows Server 2016 - Member Server Baseline - Computer.PolicyRules     MSFT-Win10-RS1-Srv2016-SCM Windows 10 RS1 - BitLocker.PolicyRules     MSFT-Win10-RS1-Srv2016-SCM Windows 10 RS1 - Computer.PolicyRules     MSFT-Win10-RS1-Srv2016-SCM Windows 10 and Server 2016 - Domain Security.PolicyRules     MSFT-Win10-RS1-Srv2016-SCM Internet Explorer 11 - Computer.PolicyRules     MSFT-Win10-RS1-Srv2016-SCM Windows Server 2016 - Member Server Baseline - User.PolicyRules     MSFT-Win10-RS1-Srv2016-SCM Windows 10 and Server 2016 - Defender.PolicyRules
    • Anonymous
      January 03, 2017
      Brilliant, thanks. We found that, very useful. Saved me loads of time.
  • Anonymous
    January 03, 2017
    Hi, I've been using the tool to compare GPOs but I'm not sure if I'm doing something wrong as the results in a View/Compare don't appear to show many of the settings.I'm comparing Office settings for two different versions. I've done a view compare and then copied all the settings out to Excel to manipulate. What I found was that some of the settings just aren't listed. Examples are Administrative Templates\Microsoft Outlook 2013\Miscellaneous\Microsoft Outlook\List of managed add-insAdministrative Templates\Microsoft Outlook 2013\Account Settings/Exchange/Automatically configure profile based on Active Directory Primary SMTP addressWhat I have done is the followingI've backed up the two GPOs I'm interested in.Click Add and selected Add files form GPOsSelected the folder with the GPOs inSelected Each GPO individually and selected Import and created a new Rule set in a new folderUpdated my Policy Rule set to the rule set folder.I've then selected the two and compared.I've also looked at them individually.If I check the rule set text file a quick search does not show anything related to the examples above.Is this an error on my part, a limitation or a problem? If there are so many settings missing I'm not sure I can rely on the results as a comparison. Hopefully it is something I am doing wrong.
    • Anonymous
      January 03, 2017
      Think it might be something I've done. I did the export again from the GPO and found my Addins and the Account settings might be in a different registry key than I was looking at. My first export I got 55 settings, in my second I got 58. So please ignore this I'll go away and check the settings again and see if I can match the registry key to the policy. Doh!I did notice it doesn't show scripts that are run, is this possible to export too, along with everyone desire for Preferences? Thanks
  • Anonymous
    January 10, 2017
    HiI've noticed on one of my policies it shows a HKCU setting in the policy but if you look at the policy in the GUI, there are no HKCU settings.The setting is Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSave TimeOutThis is a new policy I created, who's source was an existing policy which did not have this setting. When I look at the source policy in the tool there are no HKCU settings, as expected.Any ideas where this might be referencing?[Aaron Margosis] HKCU (HKEY_CURRENT_USER) is set by User Configuration. That registry value is configured through User Configuration\Administrative Templates\Control Panel\Personalization\Screen saver timeout.
    • Anonymous
      January 10, 2017
      ****end user error*****I'm guessing something merged in my policy rules for two of the GPOs. Re did my GPO import and its gone
  • Anonymous
    March 22, 2017
    Hi Aaron, I can't get the Split-PolicyRules .ps1 to work, I create a combined PolicyRules file by importing the Root GPO Folder, but when i run the command (D:\PolicyAnalyzer.3.1\Split-PolicyRules.ps1 .\combined.PolicyRules .\Split" It just crates a carbon copy of the "combined.PolicyRules" file as "Split-.PolicyRules", what am I missing ?Thanks !Rich[Aaron Margosis] Do the GPOs in the combined set have names? The script depends on the GPOs having names associated with them.
    • Anonymous
      March 22, 2017
      I tried another approach, and exported a report from GPOM, and tried again but now I get this message.Exception calling "ContainsKey" with "1" argument(s): "Key cannot be null.Parameter name: key"At D:\PolicyAnalyzer.3.1\Split-PolicyRules.ps1:34 char:9+ if ($gpoBuckets.ContainsKey($polName))+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : ArgumentNullExceptionProbably worth me mentioning that we are heavily behind an still on a 2003 domain model
    • Anonymous
      March 23, 2017
      Yes, there are 565 counts of in the combined PolicyRules file, and each one is populated.
      • Anonymous
        March 23, 2017
        Dont worry, I solved it, I took a backup of all GPO's, I had manually copied them prior. All working now
      • Anonymous
        March 23, 2017
        Dont worry, I solved it, I took a backup of all GPO's, I had manually copied them prior. All working now
  • Anonymous
    March 23, 2017
    Hi Aaron, I keep using this tool in my daily work and it's makes a difference, so big thanks for that!One thing that I keep getting back to, is that when comparing several GPO's there is grey, white and yellow highlights, but I miss Green highlights, i.e., where is the same value configured in two or more GPO’s and no conflicts.In addition, it would be beneficial that the excel exports (both table and all data) get a column that posts status of the setting, like single, match and conflict to help sorting the data. It could be my lack of Excel-knowhow to sort this with some lookup function, but I think it would be a great added value to the tool.[Aaron Margosis] It never used green to show "duplicated but non-conflicting." It still uses a light gray to indicate that.For sorting and filtering based on status, I filter on cell color. Click the filter button at the top of the column, Filter By Color, pick a color. You can also sort by color, but I usually keep the sorting as it is.Hope this helps.
    • Anonymous
      March 28, 2017
      haha yeah, there is aparently something called filter by color, haven't seen that one before, thanks! - the more you know :)[Aaron Margosis] I think Excel has 3 billion separate individual valuable features, and I probably know 12 of them.
  • Anonymous
    March 29, 2017
    Hello,when I use the "Add files from GPO(s)..." option and choose the root folder I get an error because I don't have permission to all GPOs. Is there a way to skip them and just add the ones I have access to?
  • Anonymous
    May 08, 2017
    Is there a way to export the local security policy in a format that will for import into Security Compliance Manager? If so how? Thanks!
  • Anonymous
    May 15, 2017
    Awesome tool. Just discovered this over the weekend. I have been inputting the DISA STIG information into the PolicyRules format. Is there a way that an extra tag or two can be added within the xml structure? This would facilitate a DISA V-Key and SV Rule for possible import in the DISA STIG Viewer when auditing the system per DoD requirements.
  • Anonymous
    August 25, 2017
    Hi AaronHave been using this tool for the first time recently and it is great, so thank you.One thing that would be useful to me would be to have a column for the Policy Path. I know this is shown in the Details pane but it makes it more time consuming when comparing baselines to current GPOs and would also help with sorting.ThanksMark[Aaron Margosis] When I want all that information in a sortable, filterable grid, I "Export all data to Excel." And its default sort is by policy path.
  • Anonymous
    October 16, 2017
    I still haven't figured out how to edit an existing group policy backup. There are no instructions or help that tell me how to do this. At least with SCM I could edit the policy.[Aaron Margosis] We recommend setting up a standalone "dummy" domain controller and editing using the built-in tools or third-party tools. Or if you're a little more adventurous, import them into a production AD but be careful about where you apply them. There are some who would suggest not editing these baselines, but instead creating a delta policy that gets higher precedence than the baseline. That might make maintenance easier than having to perform the same edits whenever a new baseline comes out.