Properly secure and document group policies

It’s been some time since I started working on the first basic version of the script in August 2014, and posted about it on CONET’s blog. This first version came to just 6 lines of code without the header. Since then a lot has happened and the script has grown in the TechNet Gallery. Time for a new article about the script and its function.

In the current version 1.55, we already have a good 170 lines without the header. What has been added since then? Mainly functions that were requested from me, or problems I had in environments with the script. Since the simple version could do almost nothing, except the basics, here is a list of functions:

Advertisements
  • Cleanup of older backups (older than x days)
  • Filtering out unsupported characters during backup
  • Saving the backup in subdirectories with a timestamp
  • Create a human-readable HTML report to any GPO
  • Creating entries in the event log (with admin rights)
  • Runs without administrative permissions even in the context of a normal user (caution, GPO that the user cannot read will not be saved)
  • Creates log files and a CSV final report

prerequisites

  • PowerShell version 3 or later
  • Group Policy Management is installed locally (Because of the PowerShell module)

Known errors

  • Group policy preferences, e.g. IE 10, depending on the system the script is running on. These settings are saved, but may not be present in the HTML report if the system cannot display them. I can’t change that either, the interfaces are not working anymore.

And what else can the script be used for besides backups?
Some of my customers also use it to monitor changes to the GPO. There the script runs as a scheduled task on a domain controller once a day. So the customer can check changes to the group policies over the period of time used there. Very useful for error analysis, especially if there is more than one administrator.

How do you get the current version? The current version is 1.55 and can be downloaded from the TechNet Gallery. If you like the script, I’m looking forward to a review in the Gallery. If you have any wishes or suggestions, please let me know.

Note about program and Power Shell Code

The code contained here serves as an example. I do not assume any warranty, guarantee or support for the code or its components. Use the code at your own risk.

I always recommend to have a close look at the scripts before using them.

This article first appeared on Infrastrukturhelden.de in German.

This article is a translation of the Infrastrukturhelden.de article “Gruppenrichtlinien richtig sichern und dokumentieren” (Published – 2018-03-05). Links may refer to other Infrastrukturhelden.de articles, these may also be available in English language.

Also it can be, that I still use screenshots of German systems. However, where it is possible for me with little effort, I insert screenshots of English systems.

Advertisements

Author: Fabian Niesen

Fabian Niesen has been working as an IT consultant for years. Here he writes privately and independently of his employer. Among others he is certified as MCSA Windows Server 2008 / 2012, MCSA Office 365, MCSA Windows 10, MCSE Messaging, MCT and Novell Certified Linux Administrator. Since 2016 he is also MCT Regional Lead for Germany. His hobbies are social media, blogging, medieval markets, historical songs and house building.