none
Group Policy Analysis Tool

    Question

  • The Group Policy Analysis Tool (GPAT) does not seem to be working with my GPO's.

    I can view/compare the sample policy rules and all appears good, so I think GPAT is working, but when comparing my own GPO's, they all appear to be the same.

    To test, I copied a GPO and made changes to the copy. I then backed up the original and the copy. I then imported the backups into GPAT and view/compare, but they show as the same. I am guessing there is a problem with the backups or the way GPAT is importing them.

    Thursday, September 22, 2016 11:17 PM

Answers

  • I figured it out.

    When using Policy File Importer, If I select the root folder that holds all the GPO Backups, the next screen shows me all the different types of backups for each Policy i.e. .pol, .inf, .csv files for whichever policy.

    If I had selected the top level folder, I see all the Policy backups I have done. I can then select the files for a chosen policy and import and then give a name for these policy rules. I can then import another set. Both these sets are the same as far as Policy Analyzer is concerned.

    If instead, I select the folder at next level down i.e. the GUID folder for a particular GPO Backup, I still get to select the files, but the Policy Importer only shows the files for one GPO. This method works properly.

    I think this is a bug, as selecting the high level folder is certainly easier as you can then see the policy Names on the next screen, so easier to choose (next level down, backup policy folders are named with GUID's)

    Tuesday, September 27, 2016 4:44 AM

All replies

  • Hi,

    You try to show details pane and show differences.

    Here is an article below about how to use GPAT may be helpful to you.

    Analyze Group Policy Objects with Microsoft Policy Analyzer

    http://www.thewindowsclub.com/analyze-group-policy-objects-policy-analyzer

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 23, 2016 10:12 AM
    Moderator
  • If I select show differences, I do not get any result.

    Showing all, seems to display a limited list and the same in both columns. I am wondering if there is a problem with versions of GP, backups or Analyser importing.

    This is the result I get:

    Policy Type Policy Group or Registry Key Policy Setting Copy of Office 2013 Office 2013
    HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Attachments SaveZoneInformation 2 2
    HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Attachments ScanWithAntiVirus 3 3
    HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ForceClassicControlPanel 1 1
    HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ForceStartMenuLogOff 1 1
    HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HideSCAHealth 1 1
    HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Explorer LinkResolveIgnoreLinkInfo 1 1
    HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoAutoTrayNotify 1 1
    HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoRecentDocsNetHood 1 1
    HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoWelcomeScreen 1 1
    HKCU Software\Microsoft\Windows\CurrentVersion\Policies\System RunLogonScriptSync 1 1
    HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar TurnOffSidebar 1 1
    HKCU Software\Policies\Microsoft\Control Panel\International AllowableUserLocaleTagList en-NZ en-NZ
    HKCU Software\Policies\Microsoft\Control Panel\International RestrictUserLocales 1 1
    HKCU Software\Policies\Microsoft\Internet Explorer\Control Panel HomePage 1 1
    HKCU software\policies\microsoft\Internet Explorer\Main DisableFirstRunCustomize 1 1
    HKCU software\policies\microsoft\Internet Explorer\Main Start Page http://EPAIntranet http://EPAIntranet
    HKCU software\policies\microsoft\office\14.0\common\general sharedtemplates C:\EPA\Templates C:\EPA\Templates
    HKCU software\policies\microsoft\office\14.0\common\general usertemplates C:\EPA\Templates C:\EPA\Templates
    HKCU software\policies\microsoft\office\15.0\access\security vbawarnings 2 2
    HKCU software\policies\microsoft\office\15.0\access\settings default database directory %HOMEDRIVE% %HOMEDRIVE%
    HKCU software\policies\microsoft\office\15.0\common qmenable 0 0
    HKCU software\policies\microsoft\office\15.0\common updatereliabilitydata 0 0
    HKCU software\policies\microsoft\office\15.0\common\drm disable 1 1
    HKCU software\policies\microsoft\office\15.0\common\general disableboottoofficestart 1 1
    HKCU software\policies\microsoft\office\15.0\common\general optindisable 1 1
    HKCU software\policies\microsoft\office\15.0\common\general sharedtemplates C:\EPA\Templates C:\EPA\Templates
    HKCU software\policies\microsoft\office\15.0\common\general shownfirstrunoptin 1 1
    HKCU software\policies\microsoft\office\15.0\common\general usertemplates C:\EPA\Templates C:\EPA\Templates
    HKCU software\policies\microsoft\office\15.0\common\internet opendocumentsreadwritewhilebrowsing 1 1
    HKCU software\policies\microsoft\office\15.0\common\mailsettings ignorereplyspelling 1 1
    HKCU software\policies\microsoft\office\15.0\common\security openxmlencryptproperty 0 0
    HKCU software\policies\microsoft\office\15.0\excel\options defaultpath %HOMEDRIVE% %HOMEDRIVE%
    HKCU software\policies\microsoft\office\15.0\firstrun bootedrtm 1 1
    HKCU software\policies\microsoft\office\15.0\firstrun disablemovie 1 1
    HKCU software\policies\microsoft\office\15.0\outlook disablepst 1 1
    HKCU software\policies\microsoft\office\15.0\outlook\autodiscover zeroconfigexchange 1 1
    HKCU software\policies\microsoft\office\15.0\outlook\options\calendar\internet free/busy lock fb range 1 1
    HKCU software\policies\microsoft\office\15.0\outlook\options\general check default client 1 1
    HKCU software\policies\microsoft\office\15.0\outlook\options\mail editorpreference 131072 131072
    HKCU software\policies\microsoft\office\15.0\outlook\options\spelling check 1 1
    HKCU software\policies\microsoft\office\15.0\outlook\preferences archivedelete 0 0
    HKCU software\policies\microsoft\office\15.0\outlook\preferences archivegranularity [[[delete]]] [[[delete]]]
    HKCU software\policies\microsoft\office\15.0\outlook\preferences archivemount 0 0
    HKCU software\policies\microsoft\office\15.0\outlook\preferences archiveold 0 0
    HKCU software\policies\microsoft\office\15.0\outlook\preferences archiveperiod [[[delete]]] [[[delete]]]
    HKCU software\policies\microsoft\office\15.0\outlook\preferences deleteexpired 0 0
    HKCU software\policies\microsoft\office\15.0\outlook\preferences doaging 0 0
    HKCU software\policies\microsoft\office\15.0\outlook\preferences everydays [[[delete]]] [[[delete]]]
    HKCU software\policies\microsoft\office\15.0\outlook\preferences fbpublishrange 12 12
    HKCU software\policies\microsoft\office\15.0\outlook\preferences fbupdatesecs 900 900
    HKCU software\policies\microsoft\office\15.0\outlook\preferences promptforaging 0 0
    HKCU software\policies\microsoft\office\15.0\outlook\resiliency\addinlist [[[Delete all values]]]
    HKCU software\policies\microsoft\office\15.0\outlook\resiliency\addinlist Colligo.EmailManager 1 1
    HKCU software\policies\microsoft\office\15.0\outlook\resiliency\addinlist crmaddin.Addin 1 1
    HKCU software\policies\microsoft\office\15.0\powerpoint\recentfolderlist default %HOMEDRIVE% %HOMEDRIVE%
    HKCU software\policies\microsoft\office\15.0\word\options allowautoreadingmode 0 0
    HKCU software\policies\microsoft\office\15.0\word\options doc-path %HOMEDRIVE% %HOMEDRIVE%
    HKCU software\policies\microsoft\office\15.0\word\options officestartdefaulttab 1 1
    HKCU software\policies\microsoft\office\15.0\word\security\trusted locations allownetworklocations 1 1
    HKCU software\policies\microsoft\office\15.0\word\security\trusted locations\location1 allowsubfolders 1 1
    HKCU software\policies\microsoft\office\15.0\word\security\trusted locations\location1 date 30/08/2015 30/08/2015
    HKCU software\policies\microsoft\office\15.0\word\security\trusted locations\location1 description MS Office 2013 Templates MS Office 2013 Templates
    HKCU software\policies\microsoft\office\15.0\word\security\trusted locations\location1 path C:\EPA\Templates C:\EPA\Templates
    HKCU Software\Policies\Microsoft\SystemCertificates\Trust\Certificates [[[create key]]] [[[create key]]]
    HKCU Software\Policies\Microsoft\SystemCertificates\Trust\CRLs [[[create key]]] [[[create key]]]
    HKCU Software\Policies\Microsoft\SystemCertificates\Trust\CTLs [[[create key]]] [[[create key]]]
    HKCU Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates [[[create key]]] [[[create key]]]
    HKCU Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs [[[create key]]] [[[create key]]]
    HKCU Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs [[[create key]]] [[[create key]]]
    HKCU Software\Policies\Microsoft\Windows\App Management COMClassStore 1 1
    HKCU Software\Policies\Microsoft\Windows\Control Panel\Desktop ScreenSaveActive 1 1
    HKCU Software\Policies\Microsoft\Windows\Control Panel\Desktop ScreenSaverIsSecure 1 1
    HKCU Software\Policies\Microsoft\Windows\Control Panel\Desktop ScreenSaveTimeOut 600 600
    HKCU Software\Policies\Microsoft\Windows\Control Panel\Desktop SCRNSAVE.EXE scrnsave.scr scrnsave.scr
    HKCU Software\Policies\Microsoft\Windows\Installer AlwaysInstallElevated 1 1
    HKCU Software\Policies\Microsoft\Windows\NetCache DisableFRAdminPin 1 1
    HKCU Software\Policies\Microsoft\Windows\Personalization ThemeFile %windir%\Resources\Themes\aero.theme %windir%\Resources\Themes\aero.theme
    HKCU Software\Policies\Microsoft\Windows\Safer [[[create key]]] [[[create key]]]
    HKCU Software\Policies\Microsoft\Windows\System\Power PromptPasswordOnResume 1 1
    HKLM Software\Policies\Microsoft\Control Panel\International AllowableSystemLocaleTagList en-NZ en-NZ
    HKLM Software\Policies\Microsoft\Control Panel\International AllowableUserLocaleTagList en-NZ en-NZ
    HKLM Software\Policies\Microsoft\Control Panel\International RestrictSystemLocales 1 1
    HKLM Software\Policies\Microsoft\Control Panel\International RestrictUserLocales 1 1
    HKLM Software\Policies\Microsoft\NetworkAccessProtection\ClientConfig\Enroll\HcsGroups [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\NetworkAccessProtection\ClientConfig\UI [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\ACRS\Certificates [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\ACRS\CRLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\ACRS\CTLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\CA\Certificates [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\CA\CRLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\CA\CTLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\FVE\Certificates [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\FVE\CRLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\FVE\CTLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\Root\Certificates [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\Root\CRLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\Root\CTLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\Trust\Certificates [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\Trust\CRLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\Trust\CTLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\Windows\NetCache Enabled 0 0
    HKLM Software\Policies\Microsoft\Windows\NetCache NoCacheViewer 1 1
    HKLM Software\Policies\Microsoft\Windows\NetCache NoConfigCache 1 1
    HKLM Software\Policies\Microsoft\Windows\NetCache NoMakeAvailableOffline 1 1
    HKLM Software\Policies\Microsoft\Windows\NetCache SyncAtLogoff 0 0
    HKLM Software\Policies\Microsoft\Windows\NetCache SyncAtLogon 0 0
    HKLM Software\Policies\Microsoft\Windows\NetCache SyncAtSuspend [[[delete]]] [[[delete]]]
    HKLM Software\Policies\Microsoft\Windows\Safer [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\Windows\Skydrive DisableFileSync 1 1
    HKLM Software\Policies\Microsoft\WindowsMediaCenter MediaCenter 1 1
    HKLM System\CurrentControlSet\Control\Lsa SCENoApplyLegacyAuditPolicy 1 1
    Security Template Service General Setting "RemoteRegistry" 2,"" 2,""

    Sunday, September 25, 2016 8:45 PM
  • Hi,

    I suggest you try to import two different GPOs to test with the instruction of the article above.

    If the result shows difference between the two GPOs normally, the importing way is OK.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 27, 2016 2:35 AM
    Moderator
  • Hi Jay

    Two different GPO's do show as expected (see subset below)

    HKLM Software\Policies\Microsoft\Windows\Safer [[[create key]]] [[[create key]]]
    HKLM Software\Policies\Microsoft\Windows\Skydrive DisableFileSync 1
    HKLM Software\Policies\Microsoft\WindowsMediaCenter MediaCenter 1 1

    Other GPO's that only have a few differences don't show on Policy Analyzer as different. I will create a couple on new admx policies from scratch and test. Rather than modified copies I used before

    Tuesday, September 27, 2016 3:05 AM
  • I just made 2 new GPO's.  one with camera disabled and one with camera enabled.

    Policy Analyzer does show this difference. The details don't seem to be right though.

    Policy Type Policy Group or Registry Key Policy Setting 1.test 2.test
    HKLM software\Policies\Microsoft\Camera AllowCamera ***CONFLICT*** ***CONFLICT***

    Policy Path:

    <dir>

    Computer Configuration

    Windows Components\Camera\

    Allow Use of Camera

    </dir>

    1.test:

    <dir>

    Option: Enabled

    Data: 1

    Type: REG_DWORD

     

    Option: Disabled

    Data: 0

    Type: REG_DWORD

    </dir>

    2.test:
    Option: Enabled

    <dir>

    Data: 1

    Type: REG_DWORD

     

    Option: Disabled

    Data: 0

    </dir>

    Type: REG_DWORD

    Tuesday, September 27, 2016 3:50 AM
  • I figured it out.

    When using Policy File Importer, If I select the root folder that holds all the GPO Backups, the next screen shows me all the different types of backups for each Policy i.e. .pol, .inf, .csv files for whichever policy.

    If I had selected the top level folder, I see all the Policy backups I have done. I can then select the files for a chosen policy and import and then give a name for these policy rules. I can then import another set. Both these sets are the same as far as Policy Analyzer is concerned.

    If instead, I select the folder at next level down i.e. the GUID folder for a particular GPO Backup, I still get to select the files, but the Policy Importer only shows the files for one GPO. This method works properly.

    I think this is a bug, as selecting the high level folder is certainly easier as you can then see the policy Names on the next screen, so easier to choose (next level down, backup policy folders are named with GUID's)

    Tuesday, September 27, 2016 4:44 AM
  • Hi,

    Thanks for your share.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 27, 2016 5:02 AM
    Moderator