Identifying Problematic Group Policy Objects (GPO)

I was recently tasked with identifying which GPO was applying some problematic values. In this case, GPO was setting Windows Explorer Policy key which was hiding all local drives.

In an ideal scenario the environment would have clearly named Group Policy Objects which would make such a task much simpler, but in this case it was a legacy environment which had been managed by a number of administrators with various levels of competency. This resulted in an environment with over 80 group policy objects and no standard naming convention.

Prerequisites

You need to have an idea of what setting is impacting, the searches can be generic but you can’t be completely blind to make use of them.

Method 1, searching GPO for Registry Key

  1. Perform this from domain controller
  2. Open new Powershell
  3. Type:
    Get-GPO -All | Get-GPRegistryValue -Key <Reg Key> -EA SilentlyContinue

IE: Get-GPO -All | Get-GPRegistryValue -Key HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer -EA SilentlyContinue

The -AE just sets the error action to hide output from all the GPOs that do not set registry keys since we’re checking this against all existing GPOs in current domain.

Method 2, searching GPO for Policy Element

  1. Perform this affected computer/user account
  2. Open elevated command prompt
  3. Type:
    gpresult /v | find "<setting>"

IE: gpresult /v | find “Explorer”

The -v actually enumerates the settings which allows us to quickly identify the potential culprits by piping to a search. This will return both computer and user, you can change with /scope on gpresult if needed.

Method 3, searching GPO for Policy Element using the “Search” function in the Group Policy Editor snap-in

  1. Perform this from domain controller
  2. Open gpedit.msc
  3. Right-click on Forrest: forrestname and select Search
  4. Select the domain from the drop-down
  5. Select search items. If you cannot locate exact item (such as setting under Windows Components etc.. that’s because those are technically applied via Registry, so select Registry
  6. Click Add
  7. Click Search
  8. Although the result GPO won’t give you the exact detail, it gives you a much smaller item set to work with, you can click on the GPO listed in the search results to quickly jump to the item in GPEdit, and from there use your Settings and Expand All to manually search for the policy in question

 


Leave a Reply

Your email address will not be published. Required fields are marked *