GPO Tools

Clean Registry Policy Utility 1.1

The Clean Registry Policy utility is a command-line tool for listing and removing registry policies, preferences and Software Restriction Policies. You can list each type of registry policy from the tool and then optionally remove each type (or all types). This tool is unique in that normally there is no easy way to remove preferences–those Administrative Template policies that fall outside of the four special policy keys that Microsoft provides. Preferences tattoo the registry until they are explicitly removed or disabled. This utility lets you remove all preferences that were previously set on a machine. In addition, this utility can help you clean a system that has been removed from a domain and still has “orphaned” registry policy entries that are causing problems. You can view all of the command-line switches available on the tool by typing cleanregpol /?.

GPO Deny Finder 1.0

This utility scans all GPOs in your domain and looks for Deny ACEs . If it finds them, it reports out the GPO, the Trustee (i.e. user,group, computer) that is assigned to the ACE and the permission that is set to denied (usually permGPOApply for Read and Apply Group Policy permissions).

GPO Version Powershell Cmdlets

Powershell cmdlets to get GPO version information and also to “Touch” a GPO’s version to force clients to think the GPO has changed.

WMI Filter Validation Utility

Updated! July/8/2011

Validates GPO WMI Filters against live systems to make sure that the filter you write will pass or fail as expected. Provides timings that let you identify WMI filter impact on GP Processing.

PowerShell Cmdlets for Group Policy

NEW version. 25 PowerShell cmdlets for GPMC (in Server 2008, Vista, SP1 version)–builds on what we have here with the following:

Add-SDMgplink: Links a GPO to a particular AD container (site,domain or OU)
Get-SDMgplink: Retrieves a list of linked GPOs from a particular AD container
Remove-SDMgplink: Removes a GPO link from a given AD container
Export-SDMgpo: Backs up a GPO to a given folder path
Get-SDMgpo: Retrieves information about one or all GPOs in a domain
New-SDMgpo: Creates a new GPO in a domain
Remove-SDMgpo: Deletes an existing GPO from a domain
Restore-SDMgpo: Restores a GPO from backup
Get-SDMgpoBackups: Retrieves the list of all backed-up GPOs (or a given GPO) from a given folder path
Add-SDMgpoSecurity: Adds a GP permission (ACE) for a given group to a given GPO
Get-SDMgpoSecurity: Retrieves a list of GP permissions from a given GPO
Remove-SDMgpoSecurity: Removes a particular permission for a given group from a given GPO.
Add-WMIFilterLink: Links an existing WMI filter to a GPO
Copy-SDMStarterGPO: Copies an existing Starter GPO to a new Starter GPO (Server 2008 and Vista, Sp1 only)
Get-SDMStarterGPO: Retrieves a reference to and information on a named Starter GPO (Server 2008 and Vista, Sp1 only)
Get-SDMWMIFilter: Retrieves a reference to and information on one or all WMI Filters in a domain
New-SDMStarterGPO: Creates a new Starter GPO (Server 2008 and Vista, Sp1 only)
Out-SDMGPSettingsReport: Creates an xML or HTML GPO Settings report
Out-SDMRSOPLoggingReport: Creates and XML or HTML Group Policy Results report
Remove-SDMStarterGPO: Deletes a Starter GPO (Server 2008 and Vista, Sp1 only)
Remove-SDMWMIFilterLink: Removes any WMI Filter linked to a particular GPO

You can download these at the SDM Software Site

To get help on the syntax for any cmdlet, just type get-help at a Powershell prompt.
If you have any feedback or questions on these cmdlet, just contact us!

Local GPO Disable Script

This .vbs script will disable the local GPO on a given pre-Vista system (Vista comes with an Admin. Template policy to do this). On Win2K, XP and 2003, there is no centralized way to disable the Local GPO.

You can use this script in a Group Policy Startup Script to accomplish the task. Note that because this script edits a protected file on the local system, a normal user account will not be able to successfully run this, so you won’t be able to deliver it as a logon script. That is why I recommend running it as a startup script.

Vista Central Store Creator Utility

Updated version 1.1 released!

This utility simplifies the creation of the “Central Store” for storing Vista ADMX/ADML templates. Its a very simple utility.

Registry.Pol Viewer Utility

Updated! 12/20/2010

This utility provides read-only access into the registry.pol file (or any other .pol file). Registry.pol is the file that GP uses to store registry-based policy settings made by Administrative Template, Software Restriction Policy or Disk Quota policy.

AD,DNS, FRS, DFS-R,Forwarded Events, Hardware Events Event Log Settings ADM Template

This is a custom .ADM file that exposes the log size and retention method options for the “non-standard” event logs found on Active Directory Domain Controllers.

Updated 28/12/06

GPO Logging Custom ADMX (for Windows Vista)

GPLogging.ADMX : This is a port of gpolog.adm to the new Vista ADMX/ADML file format. Included in the download is the ADMX file for enabling the logs that are still valid in Vista, as well as the language-independent strings file (.ADML) for the English language.

See also the ADM version of this in this Free Tools section.

GPO Logging Custom ADM

This is a custom .ADM file that I created that exposes all the GPO-related logging that I could find documented, including verbose Application Event Log stuff, Software Installation, Folder Redirection, Security, GPMC and even logging of the GPO Editor client itself.

Check out the related ADMX version of this as well!

Command-line Remote GPO Refresh

NEW!!!! PowerShell version of this utility available at SDM Software Freeware Page

This is a command line utility to remotely refresh Group Policy on Win2K, XP or Server 2003.

Group Policy Software Installation Viewer Utility

GPSI “GYPSY” VIEWER UTILITY

Within native tools, there is no way to quickly get an at-a-glance view of all applications deployed via Group Policy Software Installation (GPSI) policy across a domain. This simple GUI utility lets you quickly view all applications that have been published or assigned (or removed) using Group Policy, within a domain. With the newest version, you can also print the list of applications to a report or save it as a .csv file.

GPO Editor Clipboard Utility

UPDATED!!!! This is a handy little MMC namespace extension DLL written for me by one of the smartest guys I know–Chuck McDonald. Chuck can do pretty much anything with code. One thing I’ve always been frustrated about in the GPO Editor tool is the inability to copy the path that you’re currently selected on to the clipboard.

UPDATED!!!! Well, Chuck has come through again and now this utility will copy the entire policy path into the clipboard, from the actual policy item on up! Just as before, select the policy item in the right-hand result pane then hold down CTRL-SHIFT and right mouse click. The whole policy path will be copy to the clipboard. Cool!

This is a handy little MMC namespace extension DLL written for me by one of the smartest guys I know–Chuck McDonald. Chuck can do pretty much anything with code. One thing I’ve always been frustrated about in the GPO Editor tool is the inability to copy the path that you’re currently selected on to the clipboard. This is handy for documenting GPO changes and describing to others where to find a particular policy. If you download this ZIP file, copy the DLL to somewhere on your machine and register it using regsvr32 gpoguycopynodepath.dll. Now, you can’t use it with pre-created GPO .msc files, like those found in the Administrative Tools folder or gpedit.msc, but if you create your own MSC, it works just great. The way it works is, while highlighting a particular path in the left-hand scope pane of a GPO editor tool, press the CTRL and SHIFT keys, then right mouse-click on the node you’re selected on. The full path within the GPO will be copied to the clipboard. For example, if I’ve highlighted Computer Configuration|Windows Settings|Security Settings|Local Policies|User Rights Assignment, then that full path will be copied to the clipboard by pressing CTRL-SHIFT-Right Mouse. Simple! Currently the tool doesn’t capture actual policy items in the right-hand results pane, but that was my next request to Chuck so stay tuned.

GP Time

Updated! November 21, 2012

This handy little utility is designed to quickly and succintly report the last time computer and user Group Policy was run on a local or remote system. If there has been more than one user logged onto the system, the tool will report GP processing times for all users found.

Third Party Tools

GPO Reporter from Alan Kaplan

This is an HTA written by Alan Kaplan, called GPO Reporter.

SysProSoft GP-related Utilities

Alan Cuthbertson over at SysProSoft down in Oz has some cool utilities that I wanted to point out. The latest is a neat parser for Userenv.log files, called Policy Reporter. He’s also got a nifty ADM Template Editor to help simplify the process of creating ADM templates. Finally, He’s got some GP Management software, called PolMan, with some nifty reporting and troubleshooting features.

SpecOps GPUpdate

The SpecOps guys in Sweden have released a very cool free add-on to AD Users and Computers that let’s you graphically and remotely refresh Group Policy on remote nodes as a right-click option in the UI. Its also let’s you do a refresh across multiple machines and provides a cool graphical progress bar. Not bad for a free tool!

RegtoADM

This is part of a set of utilities called NUTS. And can be downloaded at http://yizhar.mvps.org

DISCLAIMER: Everything posted here is offered as is. By downloading it, you accept full responsibility for testing to ensure it does not cause any problems in your own environment. There is no warranty on any of the code or files on this page, so it’s up to you to make sure it’s safe for your environment. Please don’t repost or re-use the tools or content elsewhere unless you get prior approval from the author (all GPOGuy tools are written by me unless otherwise noted). Many of the files on this page are offered as freeware (unless otherwise noted by the author), and as such should not be sold by anyone else.