How can I write a script that determines if Local Group Policy is applied?

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Rob Simmers Rob Simmers 2 months, 1 week ago.

  • Author
    Posts
  • #54385
    Profile photo of Kiran
    Kiran
    Participant

    I know how to visually use the GUI and examine the Local Group Policy in an MMC. I often find that these settings are discrepant with the registry settings for WSUS. For hundreds of servers, I would like to create a PowerShell script to log into these machines and see if Local Group Policy is discrepant with the registry settings. I'd also like to know if the Local Group Policy is enforced and applicable. I read that the registry settings override the Local Group Policy (as seen in the GUI). I know how to write PowerShell scripts to log into numerous servers. I do not know how to write a PowerShell script to tell if Local Group Policy settings for WSUS and automatic updates are enforced (and have been applied).

    I do not know how to write a PowerShell script to tell if Local Group Policy settings for WSUS (e.g. the frequency with which checks for updates are made and the WSUS server the client communicates with) are being applied) are discrepant with the local registry settings for WSUS.

    I tried commands like this:

    GPResult /Z | sls "Local Group Policy" -Context 2,2

    GPResult /Z | sls "GPOs were not applied" -Context 2,2

    # Either of the commands' results could have long lists. How do I use PowerShell to reliably and automatically determine if the Local Group Policy settings are enforced and if they are consistent with the registry settings for WSUS or not? For this post, my only concern with Local Group Policy settings is that for configuring WSUS settings (e.g., frequency of updates, which WSUS server to use etc.).

  • #54389
    Profile photo of Rob Simmers
    Rob Simmers
    Participant

    All that group policy is doing, as you eluded, is setting registry settings. So, if the goal is to see if the settings are set as expected, you can just compare registry values versus seeing if policy are applied. This has been discussed in the past: https://powershell.org/forums/topic/group-policy-results/

    With that said, there are a lot of examples of reading the registry, but if you query values and compare them on what you are expecting you should be able to ascertain if policy is not being applied if the values don't match.

You must be logged in to reply to this topic.