Suppose you are a sysadmin working within an Active Directory or a user who is part of a domain. In that case, you may have to view or create reports on the GPOs applied to your organization, or your user account, in particular.
There can be hundreds of GPOs created and applied within your domain, and keeping track of all of them, and which Organizational Units (OUs) they are applied to, can be a headache. This is why you can quickly generate detailed reports on GPOs using PowerShell and find all sorts of information on them within seconds.
In this article, we are going to be using the Get-GPOReport and the GPResult commands with different parameters and switches to generate both XML and HTML reports and get in-depth information about the different GPOs.
Table of Contents
Table of Contents
This article is designed for advanced users as well as the people who aren’t tech-savvy and have no understanding of what GPOs are, and how they work. So bear with us while we go over a few basics.
What are Group Policy Objects (GPOs)
Before we briefly understand a thing or two about GPOs, we advise you to go through our separate post on Active Directories and Forests, if you don’t already know what they are.
A Group Policy Object is a collection of policies applied by the system administrator throughout the domain. There can be any number of GPOs applied to different users, computers, and groups. Each GPO holds a set of policies that will automatically apply to the Organization Unit (OU) they are linked with.
For example, if your computer is part of the OU named “HR Department,” then all the policies and rules within the GPOs applied to the “HR Department” OU will automatically apply to your computer.
The policies are there to control what the items inside the OUs can and can’t do, which resources they can access, etc.; securing the overall network infrastructure.
This is also one of the reasons why getting to generate GPO reports may be beneficial for you.
What is Get-GPOReport and GPResult
Both Get-GPOReport
and GPResult
are PowerShell commands that you can use to view and compile reports on the GPOs. These can be used by both the sysadmins as well as the end users (as long as the permissions are granted) to get an insight into the applied GPOs.
Both of the aforementioned commands more-or-less do the same thing – get detailed information on the Group Policies applied within the domain. However, the Get-GPOReport is more focused on generating reports while the GPResult is focused on obtaining and viewing information, even for remote computers and specific users.
Both of these cmdlets can be used with various switches and parameters to filter results or use them to find specific information.
The tables below list the switches that can be used with each command:
-
Table of parameters for Get-GPOResult
Parameters Details -All Get details on all GPOs -Name Name of a specific GPO -GUID GUID of a specific GPO -ReportType HTML or XML output -Path Complete path to save the report -Domain Name of the domain -Server Name of a specific server Parameters for Get-GPOResult command -
Table of switches for GPResult
Switches Details /R To get details of applied GPOs /S To get details of applied GPOs on remote computer /H To generate an HTML report /U To get details of applied policies on specific user (used with /R) /P Password for user account (used with /U) /Scope Shows policy and group details for the local computer or user /Force Forcefully overwrite existing reports with same name (used with /H) /Verbose Shows additional information like security privileges, public key policies, etc. Switches for GPResult command
Now that we understand what the different switches and parameters do with each command, let us continue to see how to use them. However, there is one more thing that you must consider before proceeding forward with generating the GPO reports, which are the prerequisites.
Before Generating GPO Reports
You need the right permissions and access rights to be able to obtain GPO information. If your user or computer does not have the required privileges, then running any cmdlets may result in errors. Here are a few conditions to meet first:
-
You must install the Group Policy PowerShell Module before performing any other tasks. This module is part of the Remote Server Administration Tools (RSAT). Learn how to install RSAT tools on Windows, or you can use the following command in PowerShell on Windows Server to install it:
Install-WindowsFeature -Name GPMC
-
You are logged in to a device that is a part of the AD domain from which you will be retrieving GPOs.
-
You are using a domain user account with at least read-only access to GPOs.
If your computer and user account satisfy these conditions, you can now continue to generate XML or HTML reports using the given guide below.
List All GPOs in PowerShell
If you already know the name of a specific GPO for which you want to obtain the details, you can skip to the next section. However, to get a complete list of all the GPOs on your domain, run the following command in an elevated PowerShell instance:
Get-GPO -All
Note down the “Display Name” for the GPO that you want to get more details on. This information will be useful when generating reports on a specific GPO.
Generate GPO Report using Get-GPOReport in PowerShell
Create HTML, XML Report on a Single GPO
As mentioned earlier, you can generate both HTML and XML reports using the Get-GPOReport
cmdlet. In this section, we show you how to create them both using the name of the GPO as well as its GUID.
Generate GPO Report using GPO Name
-
Export GPO report to HTML using GPO Name
To create a GPO report in HTML for a single GPO using its name, use the following syntax in PowerShell:
Replace [NameOfGPO] with the actual name of the GPO (as noted in the section above, and [PathToSaveFile] with the complete path to where you want to generate the HTML report.
Get-GPOReport -Name '[NameOfGPO]' -ReportType 'HTML' -Path '[PathToSaveFile].html'
As you can see in the image above, the HTML report has been generated, which you can now open using your default web browser. The report will look something like this:
As you can see, the report gives complete details about the GPO, including its domain, status, the OU it is applied to, etc.
-
Export GPO report to XML using GPO Name
To generate a GPO report in the XML format, all you need to do is change the value for ReportType to “XML” and the file extension at the end of the path. Use the following syntax to generate an XML report for a single GPO using its name in PowerShell:
Get-GPOReport -Name '[NameOfGPO]' -ReportType 'XML' -Path '[PathToSaveFile].xml'
You can now open the XML report in any support application.
As you can see from the image above, the XML report lists more details as compared to an HTML report, which is why it is usually preferred over an HTML report by sysadmins.
Generate GPO Report using GPO GUID
A GUID is a unique identifier assigned to each GPO. You can also generate reports for a single GPO using its GUID. However, the process still needs you to know the GPO’s name. In the steps below, the name of the GPO is used to obtain its GUID.
-
Export GPO report to HTML using GPO GUID
Use the following cmdlets and run them in the same sequence to obtain the GUID for the single GPO and then generate its report in HTML. Replace all the necessary variables according to your conditions and requirements:
$guid = (Get-GPO -Name '[NameOfGPO]').Id Get-GPOReport -Guid $guid -ReportType 'HTML' -Path '[PathToSaveFile].html'
-
Export GPO report to XML using GPO GUID
Similar to the HTML method, you can also generate an XML report for a single GPO using its GUID by changing the “ReportType” to “XML” and the file extension at the end of the path.
$guid = (Get-GPO -Name '[NameOfGPO]').Id Get-GPOReport -Guid $guid -ReportType 'XML' -Path '[PathToSaveFile].xml'
Create HTML, XML Report on All GPOs
Previously, we had discussed two methods for generating an XML or an HTML report on a single GPO using its name or GUID. How, let us show you how to generate a report for all the GPOs applied within your domain.
To generate a report on all GPOs, you do not need to use the -Name
or -GUID
parameter. Instead, we use -All
.
To generate an HTML report on all GPOs from PowerShell, use the following cmdlet:
Get-GPOReport -All -ReportType Html -Path "[PathToSaveFile].html"
To generate an XML report on all GPOs from PowerShell, use the following cmdlet:
Get-GPOReport -All -ReportType XML -Path "[PathToSaveFile].xml"
In the examples above, a single report is generated which contains the details for all the GPOs applied within your domain. If you want to generate a list of all the GPOs individually, then you must run the following script in PowerShell:
Replace [PathToSaveFiles] with the location of the folder where you want to save the individual reports. You can also change “HTML” with “XML” to create XML reports instead. Make the changes to the script before pasting it into PowerShell.
$allgpos = Get-GPO -All | Select-Object -ExpandProperty DisplayName
foreach ($g in $allgpos) {
Get-GPOReport -Name $g -ReportType HTML -Path [PathToSaveFiles]\$g.html
}
Generate GPO Report using GPResult in PowerShell
You can also generate GPO reports using the GPResult
cmdlet in PowerShell. However, unlike Get-GPOReport
, GPResult can only generate reports in HTML.
To generate an HTML report using GPResult in PowerShell, use the following cmdlet:
GPResult /H [PathToSaveFile].html
You can also use the rest of the switches mentioned at the beginning of the article to get different sorts of information on GPOs. For example, using the “/R” switch, you can view GPO details inside the PowerShell window without generating a report.
Find GPO Details Linked to Which OU for Single GPO
Using the XML report, you can find out which Organizational Units a GPO is applied to. This cannot be achieved with HTML reports since they do not include that information. This is another reason why the sysadmins prefer XML reports over HTML.
Use the following steps to get which GPO is linked to which OUs:
-
Generate an XML report for a single or all GPOs using the methods shared above.
-
Open the XML file and look for the GPO you want to know about.
-
Look for the “LinksTo” node near the end of the GPO details.
Here, you will find the name(s) of the OUs the GPO is linked to.
If the GPO is linked to multiple OUs, you will find multiple “LinksTo” nodes, and each of them will have an OU name the GPO is linked to.
Notice that this method can be frustrating as there are many number of lines to skim through to find the “LinksTo” node. An easier way to find the OUs linked to a GPO is by getting a brief report on all of them.
Find GPO Details Linked to Which OU for All GPOs
You can use a small script in PowerShell to generate a list of all GPOs and their associated OUs to find which GPO is linked to Which OU.
Run the following script in PowerShell to generate a list of GPOs and linked OUs:
$AllGpos = Get-GPO -All
$GpoLinks = foreach ($g in $AllGpos){
[xml]$Gpo = Get-GPOReport -ReportType Xml -Guid $g.Id
foreach ($i in $Gpo.GPO.LinksTo) {
[PSCustomObject]@{
"Name" = $Gpo.GPO.Name
"Link" = $i.SOMPath
"Link Enabled" = $i.Enabled
}
}
}
$GpoLinks | Sort-Object Name
As you can see from the image above, a list of the GPOs applied within the domain and their associated OUs are now listed in front of us.
If you find that one GPO is listed more than once, it will be because it has been linked to more than one OU. You will then find a different OU in front of the same GPOs.
Fix “Get-GPO is Not Recognized”
You may encounter several types of errors while trying to generate GPO reports using the methods shared above. One of these errors could be the following:
The term ‘get-gpo’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
If so, perform the following steps to fix the issue:
-
First, make sure that the Group Policy Management Tools are installed.
You can confirm this from the Server Manager – Add roles and features.
If the feature isn’t installed, install it.
-
Once confirmed, run the following command in an elevated PowerShell instance:
Import-Module grouppolicy
These steps will install the Group Policy PowerShell module, and the “Get-GPO” command should now be recognized.
Frequently Asked Questions (FAQs)
How to export GPO settings to CSV file?
Unfortunately, there is no native method to export/save GPO settings to a .CSV file. There used to be an option to save/export GPO files as a .CSV file, but that is no longer available. However, you can use third-party tools like AD-Manager Plus, that provide you the ability to save GPO files as CSV files, which can then be opened in Microsoft Excel.
Get-GPO vs Get-GPOReport: What’s the difference?
Both the Get-GPO and the Get-GPOReport commands are PowerShell commands used to fetch information on the Group Policy Objects. However, while the Get-GPO command shows the information inside the PowerShell window, the Get-GPOReport command generates a detailed report on the GPOs in either HTML or XML format.
How to fix the “Get-GPOReport index was out of range” error?
If you are running Windows 7 or Windows Server 2008 R2, then this error likely occurred because the Group Policy reporting module incorrectly uses hard-coded index values to query the task information about a scheduled task. Microsoft has already fixed the issue through Windows Update.
If this issue occurred on Windows 10 or late, or Windows Server 2012 R2, then you may not have installed the Group Policy Management PowerShell module. You can install it by running the following command, or from the Optional Features:
Install-WindowsFeature -Name GPMC