Posted by: Yosef B. | August 22, 2016

Understanding Windows Group Policy Changes


Whether you are a Sys Admin or a user, troubleshooting Windows Group Policy on a domain connected client PC can be difficult. Luckily through the use of a few free programs and a Windows built-in tool, you can make sense out of the Group Policies applied to a computer.

To get started, you will need software that allows you to compare two text or html files (I prefer working with HTML as it’s easier to read, but it can be a bit more tricky to understand the file differences). I use the free Notepad++ with its Compare plugin for this but you can also use the Windows 10 (Anniversary edition 🙂 ) Bash diff command, or Winmerge, etc. You can download Notepad++ for free here: https://notepad-plus-plus.org/

In addition, the Sys Internals ProcMon (Process Monitor) program is helpful for identifying which registry settings a Group Policy object modifies. You can download it for free here: https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

Finally, you need to get comfortable with the DOS command gpresult.

The basic process is as follows:

  1. Generate a Group Policy report using the gpresult command
  2. Review it to see which policies are applied
  3. Use the ProcMon program to monitor which registry settings are applied when you change a group policy
  4. Open / edit a Group Policy
  5. Rerun the gpresult command to generate a new report (make sure to change the name of your output file so you don’t overwrite it!)
  6. Compare the two reports using your program of choice to see what changed!

Step one: Export a list of all applied group policies on the Domain connected computer. To do so, open a DOS prompt in Administrative mode and type the following command:

gpresult /S Name_of_PC_Goes_Here /H “C:\output_file.html”

Where Name_of_PC_Goes_Here is the name of the PC that you’re trying to generate a Group Policy report for and the output_file is the path and name of the report that you’re trying to generate.

If you prefer a text file instead of HTML, remove the /H flag and just pipe the output into a text file, e.g.:

gpresult /S Name_of_PC_Goes_Here >”C:\output_file.txt”

Step two: Open file in editor/viewer of your choice to see what group policies are already in place.

Step three: Run ProcMon, press Ctrl+L to bring up the Process Monitor Filter, and then add the following filter conditions:

  1. Process Name is mmc.exe then Include
  2. Operations is RegSetValue then Include

Step four: Open the Group Policy editor and make any changes that you’re interested in.

Step five: Switch over to ProcMon and you should see the registry key(s) listed there. Right click on it and select the Jump To… option from the context menu to open up Regedit and take you to the exact key that was modified.

Step six: Rerun the gpresult command (remember to change your output file name so you don’t overwrite your first report!)

Step seven: Use your program of choice (e.g. Notepad++) to compare the two gpresult reports to see what changed.

Hope this helps! If you have questions leave a comment & I’ll get back to you as soon as I can.

Yosef

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: