There can be hundreds of GPOs created and applied within your domain, and keeping track of all of them, and which Organizational Units (OUs) they are applied to, can be a headache. This is why you can quickly generate detailed reports on GPOs using PowerShell and find all sorts of information on them within seconds. In this article, we are going to be using the Get-GPOReport and the GPResult commands with different parameters and switches to generate both XML and HTML reports and get in-depth information about the different GPOs. This article is designed for advanced users as well as the people who aren’t tech-savvy and have no understanding of what GPOs are, and how they work. So bear with us while we go over a few basics.
What are Group Policy Objects (GPOs)
Before we briefly understand a thing or two about GPOs, we advise you to go through our separate post on Active Directories and Forests, if you don’t already know what they are. A Group Policy Object is a collection of policies applied by the system administrator throughout the domain. There can be any number of GPOs applied to different users, computers, and groups. Each GPO holds a set of policies that will automatically apply to the Organization Unit (OU) they are linked with. For example, if your computer is part of the OU named “HR Department,” then all the policies and rules within the GPOs applied to the “HR Department” OU will automatically apply to your computer. The policies are there to control what the items inside the OUs can and can’t do, which resources they can access, etc.; securing the overall network infrastructure. This is also one of the reasons why getting to generate GPO reports may be beneficial for you.
What is Get-GPOReport and GPResult
Both Get-GPOReport and GPResult are PowerShell commands that you can use to view and compile reports on the GPOs. These can be used by both the sysadmins as well as the end users (as long as the permissions are granted) to get an insight into the applied GPOs. Both of the aforementioned commands more-or-less do the same thing – get detailed information on the Group Policies applied within the domain. However, the Get-GPOReport is more focused on generating reports while the GPResult is focused on obtaining and viewing information, even for remote computers and specific users. Both of these cmdlets can be used with various switches and parameters to filter results or use them to find specific information. The tables below list the switches that can be used with each command:
Table of parameters for Get-GPOResult ParametersDetails-AllGet details on all GPOs-NameName of a specific GPO-GUIDGUID of a specific GPO-ReportTypeHTML or XML output-PathComplete path to save the report-DomainName of the domain-ServerName of a specific serverParameters for Get-GPOResult command Table of switches for GPResult SwitchesDetails/RTo get details of applied GPOs/STo get details of applied GPOs on remote computer/HTo generate an HTML report/UTo get details of applied policies on specific user (used with /R)/PPassword for user account (used with /U)/ScopeShows policy and group details for the local computer or user/ForceForcefully overwrite existing reports with same name (used with /H)/VerboseShows additional information like security privileges, public key policies, etc.Switches for GPResult command
Now that we understand what the different switches and parameters do with each command, let us continue to see how to use them. However, there is one more thing that you must consider before proceeding forward with generating the GPO reports, which are the prerequisites.
Before Generating GPO Reports
You need the right permissions and access rights to be able to obtain GPO information. If your user or computer does not have the required privileges, then running any cmdlets may result in errors. Here are a few conditions to meet first:
You must install the Group Policy PowerShell Module before performing any other tasks. This module is part of the Remote Server Administration Tools (RSAT). Learn how to install RSAT tools on Windows, or you can use the following command in PowerShell on Windows Server to install it: Install-WindowsFeature -Name GPMC You are logged in to a device that is a part of the AD domain from which you will be retrieving GPOs. You are using a domain user account with at least read-only access to GPOs.
If your computer and user account satisfy these conditions, you can now continue to generate XML or HTML reports using the given guide below.
List All GPOs in PowerShell
If you already know the name of a specific GPO for which you want to obtain the details, you can skip to the next section. However, to get a complete list of all the GPOs on your domain, run the following command in an elevated PowerShell instance: Note down the “Display Name” for the GPO that you want to get more details on. This information will be useful when generating reports on a specific GPO.
Generate GPO Report using Get-GPOReport in PowerShell
Create HTML, XML Report on a Single GPO
As mentioned earlier, you can generate both HTML and XML reports using the Get-GPOReport cmdlet. In this section, we show you how to create them both using the name of the GPO as well as its GUID.
Generate GPO Report using GPO Name
Export GPO report to HTML using GPO Name To create a GPO report in HTML for a single GPO using its name, use the following syntax in PowerShell: Replace [NameOfGPO] with the actual name of the GPO (as noted in the section above, and [PathToSaveFile] with the complete path to where you want to generate the HTML report. Get-GPOReport -Name ‘[NameOfGPO]’ -ReportType ‘HTML’ -Path ‘[PathToSaveFile].html’ Generate an HTML report for a single GPO using PowerShell Get-GPOReport As you can see in the image above, the HTML report has been generated, which you can now open using your default web browser. The report will look something like this: Single GPO HTML report As you can see, the report gives complete details about the GPO, including its domain, status, the OU it is applied to, etc. Export GPO report to XML using GPO Name To generate a GPO report in the XML format, all you need to do is change the value for ReportType to “XML” and the file extension at the end of the path. Use the following syntax to generate an XML report for a single GPO using its name in PowerShell: Get-GPOReport -Name ‘[NameOfGPO]’ -ReportType ‘XML’ -Path ‘[PathToSaveFile].xml’ Generate an XML report for a single GPO using PowerShell Get-GPOReport You can now open the XML report in any support application. Single GPO XML report As you can see from the image above, the XML report lists more details as compared to an HTML report, which is why it is usually preferred over an HTML report by sysadmins.
Generate GPO Report using GPO GUID
A GUID is a unique identifier assigned to each GPO. You can also generate reports for a single GPO using its GUID. However, the process still needs you to know the GPO’s name. In the steps below, the name of the GPO is used to obtain its GUID. To create a GPO report in HTML for a single GPO using its name, use the following syntax in PowerShell: Replace [NameOfGPO] with the actual name of the GPO (as noted in the section above, and [PathToSaveFile] with the complete path to where you want to generate the HTML report. As you can see in the image above, the HTML report has been generated, which you can now open using your default web browser. The report will look something like this: As you can see, the report gives complete details about the GPO, including its domain, status, the OU it is applied to, etc. To generate a GPO report in the XML format, all you need to do is change the value for ReportType to “XML” and the file extension at the end of the path. Use the following syntax to generate an XML report for a single GPO using its name in PowerShell: You can now open the XML report in any support application. As you can see from the image above, the XML report lists more details as compared to an HTML report, which is why it is usually preferred over an HTML report by sysadmins.
Export GPO report to HTML using GPO GUID Use the following cmdlets and run them in the same sequence to obtain the GUID for the single GPO and then generate its report in HTML. Replace all the necessary variables according to your conditions and requirements: $guid = (Get-GPO -Name ‘[NameOfGPO]’).Id Get-GPOReport -Guid $guid -ReportType ‘HTML’ -Path ‘[PathToSaveFile].html’ Generate an HTML report for a single GPO using PowerShell Get-GPOReport using GUID Export GPO report to XML using GPO GUID Similar to the HTML method, you can also generate an XML report for a single GPO using its GUID by changing the “ReportType” to “XML” and the file extension at the end of the path. $guid = (Get-GPO -Name ‘[NameOfGPO]’).Id Get-GPOReport -Guid $guid -ReportType ‘XML’ -Path ‘[PathToSaveFile].xml’ Generate an XML report for a single GPO using PowerShell Get-GPOReport using GUID
Create HTML, XML Report on All GPOs
Previously, we had discussed two methods for generating an XML or an HTML report on a single GPO using its name or GUID. How, let us show you how to generate a report for all the GPOs applied within your domain. Use the following cmdlets and run them in the same sequence to obtain the GUID for the single GPO and then generate its report in HTML. Replace all the necessary variables according to your conditions and requirements: Similar to the HTML method, you can also generate an XML report for a single GPO using its GUID by changing the “ReportType” to “XML” and the file extension at the end of the path. To generate a report on all GPOs, you do not need to use the -Name or -GUID parameter. Instead, we use -All. To generate an HTML report on all GPOs from PowerShell, use the following cmdlet: To generate an XML report on all GPOs from PowerShell, use the following cmdlet: In the examples above, a single report is generated which contains the details for all the GPOs applied within your domain. If you want to generate a list of all the GPOs individually, then you must run the following script in PowerShell: Replace [PathToSaveFiles] with the location of the folder where you want to save the individual reports. You can also change “HTML” with “XML” to create XML reports instead. Make the changes to the script before pasting it into PowerShell.
Generate GPO Report using GPResult in PowerShell
You can also generate GPO reports using the GPResult cmdlet in PowerShell. However, unlike Get-GPOReport, GPResult can only generate reports in HTML. To generate an HTML report using GPResult in PowerShell, use the following cmdlet: You can also use the rest of the switches mentioned at the beginning of the article to get different sorts of information on GPOs. For example, using the “/R” switch, you can view GPO details inside the PowerShell window without generating a report.
Find GPO Details Linked to Which OU for Single GPO
Using the XML report, you can find out which Organizational Units a GPO is applied to. This cannot be achieved with HTML reports since they do not include that information. This is another reason why the sysadmins prefer XML reports over HTML. Use the following steps to get which GPO is linked to which OUs: If the GPO is linked to multiple OUs, you will find multiple “LinksTo” nodes, and each of them will have an OU name the GPO is linked to. Here, you will find the name(s) of the OUs the GPO is linked to. Notice that this method can be frustrating as there are many number of lines to skim through to find the “LinksTo” node. An easier way to find the OUs linked to a GPO is by getting a brief report on all of them.
Find GPO Details Linked to Which OU for All GPOs
You can use a small script in PowerShell to generate a list of all GPOs and their associated OUs to find which GPO is linked to Which OU. Run the following script in PowerShell to generate a list of GPOs and linked OUs: As you can see from the image above, a list of the GPOs applied within the domain and their associated OUs are now listed in front of us. If you find that one GPO is listed more than once, it will be because it has been linked to more than one OU. You will then find a different OU in front of the same GPOs.
Fix “Get-GPO is Not Recognized”
You may encounter several types of errors while trying to generate GPO reports using the methods shared above. One of these errors could be the following: If so, perform the following steps to fix the issue: These steps will install the Group Policy PowerShell module, and the “Get-GPO” command should now be recognized. You can confirm this from the Server Manager – Add roles and features. If the feature isn’t installed, install it.