Powershell and Group policies, CSE change detection RRS feed

  • General discussion

  • Dear Scripting Guys,
    I'm wondering if any of you had ever the interest or the chance to detect via Powershell if and which CSE (within a GP) has been modified and by whom.

    I try to explain better where I want to go, when I analyze a trace via WPA I can see on Generic Events - Providers Name = Microsoft-Windows-GroupPolicy for each CSE how long it takes to apply and which GP have settings on that particular CSE.

    I took a look at the Powershell commands available for GP but I don't see any of them focusing on a CSE context.

    Let say there are 10 GPs applying settings on the same CSE and one or more GPs have been modified since the last time, it triggers a full download of each of the 10GPs previously mentioned to be reapplied to the machine/user.

    In order to identify which policy has been modified,fine I can run this

    Get-Gpo -All | Select DisplayName, ID, GpoStatus, ModificationTime | Sort-Object -Descending ModificationTime | Where-Object ModificationTime -GT '31 July 2018 00:00:00'

    but I can't really know if that policy contains or not the settings on the particular CSE I'm dealin with.

    Do you have an idea on how I can efficiently mix and match this information in order to retrieve first which GPs contains settings for a particular CSE, then within this subset which one have been modified and last on which setting/s

    Thank you in advance.


    • Edited by Matteo S Thursday, August 2, 2018 10:21 AM
    Thursday, August 2, 2018 10:20 AM

All replies

  • If it isn't in the event audit record then you cannot determine this as the GPOs are just text files.  You can only tell the file update time.You can save the old GPO before editing it then use XML to compare the files for the changes.  Best you can do.


    Thursday, August 2, 2018 10:46 AM
  • Here is how to audit GPO changes.  Waring:  This can slow down AD access if set up incorrectly.  Be sure to audit only writes and select only the group(s) with write access to GP.

    The event log events will tell you which files to extract and then load as XML.  Select the CSE nodes and compare them with the previous version using "Compare-Object".


    Thursday, August 2, 2018 10:56 AM
  • Hi jrv,
    I was afraid there were no way to do it without enabling auditing and comparing previous gp file with new gp file.

    I'll keep the post updated if I find another way to handle it.

    Thank you!


    • Edited by Matteo S Monday, August 6, 2018 5:25 AM
    Friday, August 3, 2018 9:40 AM