Where is That Group Policy Setting?


Have you ever asked yourself this question? Well, if you work with Group Policy you have! With a Windows 7/Server 2008 R2 Group Policy Object (GPO), there are an estimated 5000+ individual GPO settings. So, if you have 100 GPOs that means you have the opportunity to have over 5 million GPO settings selected! Now, find the one that you need to look at! Thank goodness there have been innovations that help GPO admins find what they are looking for to manage and configure desktops, and servers throughout the Active Directory enterprise.

Filtering the Administrative Templates

One of the key areas in a GPO is the Administrative Templates sections. There is one under the Computer Configuration, as well as one under the User Configuration. Every setting that can be configured in the Administrative Templates sections are nothing more than a Registry hack. Since the settings are all Registry hacks, it is easy to search for the path, Registry value, and even description that is associated with each setting.

Although the word search is a logical word to use, the interface calls it a “filter”. No matter, the overall result is that you can search for settings within the Administrative Templates sections of a GPO for specific settings, settings with common words, and even those settings that are configured.

In order to get to the filtering option for the Administrative Templates, you just need to edit a GPO, and then expand the nodes down to where you see the Administrative Templates node. By right-clicking on the Administrative Templates node you will see an option, which can be seen in Figure 1.

Figure 1: Filter option associated with Administrative Templates in a GPO.

After selecting the Filter Options menu option you will then be presented with the Filter Options configuration window, shown in Figure 2.

Figure 2: Filter Options configuration window.

You can see that you have many configuration options to find the specific Administrative Template setting that you need. You cannot only look for specific words mentioned in the title, text, and comment for each setting, but you can look for whether the setting meets certain criteria such as being managed, configured, or has comments at all.

For example, let’s assume you want to find every Administrative Template setting that is associated with security, but you don’t want the setting to tattoo the computer so you only want to find managed settings. The filter configuration would look like that in Figure 3.

Figure 3: Filter looking for only settings that don’t tattoo and have the word security in the setting.

Now that you have filtered the Administrative Template settings with the criteria in Figure 3, the resulting list of overall Administrative Template settings is dramatically reduced. You can see this resulting set of policy settings with this filter in Figure 4.

Figure 4: Resulting list of policy settings after filter is set up and applied.

Settings Report per GPO

Once you have a GPO established and you want to see which settings are configured, as well as where the setting is located in the GPO, you can do this from a tool that is located in the Group Policy Management Console (GPMC). This option will not allow you to see all settings that are located in the GPO, but it does report on those that are already configured.

To get to this option, open the GPMC and find your GPO in the list of overall GPOs or where the GPO is linked to the domain or organizational unit. Once you find your GPO, click on it to select focus on that GPO. Then, on the right hand pane within the GPMC, select the Settings tab. This will display all of the settings that are currently configured in the GPO in a list format that details where each setting in located in the GPO, which can be seen in Figure 5.

Figure 5: Settings view of a GPO.

Microsoft .xls and .xlsx *Settings Files

For those that want to have an out of band tool to help find the GPO settings, you are in luck. Microsoft produced, about 5 years ago, a suite of Excel spreadsheets to document the settings in a GPO. The spreadsheets don’t include every GPO setting, such as the Group Policy Preferences, but they are an invaluable resource.

In order to obtain the spreadsheets you can go here, and download the topics that you need to search on.

When you launch the spreadsheets you will be able to see the setting path, values that can be set and even the computer setting that will be changed in nearly every case. These spreadsheets are crucial for any GPO admin.

SDM Reporter

A final tool that I want to expose to you is one that is not built into the OS, but is very inexpensive and key for any organization that uses Group Policy. The tool is the SDM GPO Exporter tool. (You can get an evaluation version from www.sdmsoftware.com).

The tool allows the administrator to go into the live domain and pull out the settings that are configured in each GPO. That might not sound all that powerful, but not only does the tool allow you to pull out the settings, but also do reporting on the settings to find duplicates and conflicts across multiple GPOs.

First, you can export the settings from a single or multiple GPOs, as shown in Figure 6.

Figure 6: Exporting one or multiple GPOs of settings.

Before you export the settings from the selected GPOs, you get the opportunity to select all or just a portion of the overall sections within the GPO to get settings from. This is ideal for administrators that need to just get settings from some areas of the GPO and not all sections. Figure 7 illustrates what this option looks like.

Figure 7: Exporter allows you to select which settings you export from the GPOs.

Once you have selected the GPOs and areas within the GPO that you want to export the settings for, you are presented with a result of all settings for each GPO in a single view, as shown in Figure 8.

Figure 8: Exporter shows you all settings in each GPO you export.


As you can see, you can find nearly any GPO setting with the built-in tools and other tools that are available on the market. The tools from Microsoft provide insight and searching for raw settings, as well as for configured settings. Some are limited to only certain areas, where some of the Microsoft tools provide a view into nearly every section in a GPO. Other third-party tools, like SDM software Exporter, provide you a much more robust view and manipulation of the output of the GPO settings.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top