Find-MdtGPOString -- Searching Group Policy for Specific Strings

Posted
Comments None

Group Policy is a strange, wonderful, and all-too-often frustrating aspect to running a Windows domain. Sometimes wading in is like turning over a log in a damp forest. There can be a lot more going on than you bargained for, especially if you as the current admin have inherited your network.

Recently at work I was faced with a network drive mapping that was popping up that I could not explain. It was not being mapped from a logon script, and looking in Group Policy Management, it became clear that a manual search would be incredibly tedious. I’m sure you’ve been there: show, show, show, show… next… show, show, show, show… and on and on. One solution is to save your Group Policy objects as an html or xml report and search them in a text editor. Because even that sounds tedious, I wrote a function to do it for me.

This requires the GroupPolicy module, which is available for newer versions of Windows, and likely requires at least PowerShell 3+. The usage is pretty straightforward. If you want to get right in and look for a specific computer, printer, etc, that exists on your domain, try

Find-MdtGPOString -Pattern "myprinter"

On a, let’s call it, mature domain, that probably will take longer than you were expecting. So to help speed up multiple searches, you can save a report to search and re-search.

$Report = Find-MdtGPOString -ReturnReportOnly
Find-MdtGPOString -Pattern "myprinter" -GPOReport $Report
Find-MdtGPOString -Pattern "myserver" -GPOReport $Report

There are some considerations here. Most importantly, we are searching through all of the XML of the object. That means you are going to want to use very specific searches and avoid generalities like “computer”, “name”, “enabled”, etc. Also, the Pattern parameter is constrained to the [regex] type. If you don’t know regular expressions, that’s okay. In most cases, just entering the string you want to find will work. Just watch out for backslashes (”\”) which are used as an escape character. To include them in your search pattern, double them up where they appear, e.g. “mydomain\\username” instead of “mydomain\username”.

Good luck and hopefully this will shed some light on the darker recesses of your network.

Author

Comments

There are currently no comments on this article.

Comment

Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.





← Older Newer →