Author Posts

August 12, 2016 at 11:30 am

Morning All,

I`ve been tasked with writing a PowerShell script that generates a report of all of our GPO`s.

I am wondering if there is a way using the GroupPolicy module to retrieve the location in the registry that an administrative template is modifying.

For example,

I have the policy Computer Configuration/Microsoft Office 2013 (Machine)/Updates Enable Automatic Updates set to disabled. Is it possible to get the full path under HKLM that this policy changes?

I currently use a mix of Win7, Win8.1, and Win10 in my environment. PowerShell 4.0 and above in my environment as well.

August 13, 2016 at 12:36 pm

You can use Get-GPRegistry value but you have to specify the key. I knocked up this script which uses recursion to walk through a group policy object and expanding the key path until it finds a policy setting:

function Get-GPORegistryKeys {

param (
    [string]$GPOName,
    [string]$key
)

    $keyCollection = Get-GPRegistryValue -Name $GPOName -Key $key | Select -ExpandProperty FullKeyPath
    
    foreach ($subkey in $keyCollection) {
        
        $keyInfo = Get-GPRegistryValue -Name $GPOName -Key $subKey

        if (($keyInfo.gettype() | Select -expandproperty Name) -eq 'PolicyRegistrySetting') {

            Write-Output "$($keyInfo.fullkeypath)\$($keyInfo.valuename)"
        
        } #end if 

        else {

            Get-GPORegistryKeys -GPOName $GPOName -key $subkey
        
        } #end else 

    } #end foreach $subkey

} #end Get-GPORegistryKeys function

Get-GPORegistryKeys -GPOName TestSales -Key HKLM\Software

Output:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
HKEY_LOCAL_MACHINE\Software\policies\microsoft\office\15.0\common\officeupdate\enableautomaticupdates

September 1, 2016 at 6:18 pm

Thanks for the reply!

I've tried the snippet, but the code is failing to produce any results on my machine.

I've set some breakpoints in the code to see what's going on. It gets down to where some registry values are, but then gets stuck in a recursive loop.

When stepping through the code, $keyinfo.gettype() returns System.Array for the basetype, object[] for the name.