There is a plethora of information in Active Directory and Group Policy. Every new release of Server simply compounds this information. 9 times out of 10, everything you will ever need is on TechNet. Finding it is the problem. To make sense of this overload and to find exactly what I want when I need it, I use these two tricks.
Wrapping up our series on finding technical information quickly, we are going to explore the Group Policy Search service a little bit more. With over 3400 policy settings that can be configured in multiple ways, finding (and understanding) that perfect setting can be a challenge. Because you will likely be hunting these settings in Group Policy Management Console (GPMC), we are going to add a search option that links us back to the Group Policy Search service.
How many GPOs do you have in your domain?* How many settings do you have configured? If you needed to find every GPO with a certain setting, could you easily do it? In this guide, we are going to cover two ways that you can search Group Policy in your domain.
Method 1: Searching GPOs with the GUI
Launch the GPMC, right click on your Forest, and select Search. From here, you can search for GPOs, links, and even certain CSE settings (like all GPOs with a printer in them). I used Group Policy for several years before someone showed me this search feature. Completely blew me away!
There are two downsides to this search feature. First, User Configuration searching will not work on Windows 8+ machines. Second, you can’t search for specific settings (like all GPOS with a specific printer in them).
Method 2: Searching Group Policy with PowerShell
Back in 2009, Microsoft’s Group Policy team posted a PowerShell script that lets you find specific group policy settings. Like the GUI search, you can also use it to find all GPOs with certain CSEs. But it can also dive into each GPO and find specific settings, configuration, etc. To get started, download and extract the SearchGPOsForSetting script. In the comments, you will see two links and several examples to help you.
Let’s say that you want to find all GPOs that have the Administrative Template Run these programs at user logon set to Enabled. You would start by looking up the CSE extension name. Right click on any GPO with a configured administrative template in it. Select Save Report and change the Save as Type to XML.
Open the saved report in Notepad and search for the configured setting. In the extension line, the last value is the extension that you will search by. The screenshot below shows that Administrative Templates use the Registry extension.
Now that we know our extension, we can launch PowerShell ISE and search for our specific setting. Our search will look like:
.\SearchGPOsForSetting.ps1 -IsComputerConfiguration $true -Extension Registry -where Name -is “Run these programs at user logon” -Return State
After a few minutes, our results will look like:
By using these two methods, you should be able to find any Group Policy setting or configuration in your environment! If you have any issues with the script (or questions), just leave a comment below. If you are ever needing to find out more information on a specific setting, you can use this GPSearch guide.
*PowerShell way to count GPOS: (Get-GPO -all).count