Exporting Group Policies in Bulk with Powershell

A project cropped up recently that required editing a number of disparate Group Policies in our environment due to a network share path change.

I was originally given a list of GPOs that were (somehow) identified as in scope for change; however, I knew immediately the list was incomplete and omitted some valid matches. So I was left with a choice:

1. Manually go hunting across the subset of GPOs, or
2. Be "lazy" and try to find/replace the matches semi-automatically. 

Due to the project timeline, I wasn't at all interested in manually hunting down matches because I knew I would miss several, so it was time to find/replace my way through...

There's Not Really A Good Way

My little part of the world is a small subset of all GPOs in the domain, so I was going to have to find a quick way to export the reports for "my" GPOs. Once I had a folder of all my policy reports I could use Visual Studio Code to search the folder for matches in all of the GPO settings, not just what had been erroneously identified for me. Fortunately, Powershell cmdlets exist for the individual bits, so it's just a matter of stacking them accordingly, like so:

Get-GPO -All | Where-Object { $_.DisplayName -like "MyPrefix-*" } | Select-Object Id,DisplayName | 
  ForEach-Object {
    $path = "Path\To\My\Policy\Report\Folder\" + $_.DisplayName + ".xml"
    $guid = $_.Id
    Get-GPOReport -GUID $guid -ReportType 'XML' -Path $path
  }

By "filtering" the Get-GPO cmdlet's output I could get the GUID and DisplayName of my policies (all of which have MyPrefix- in the name). Once I have a GUID, I can use the Get-GPOReport cmdlet to export each GPO's details to XML.

Running this took a bit of time (it has to generate and save a report for each GPO in scope), but within a couple minutes I had something easily searchable with a regular editor.

As Expected, There Were Missed Policies

As I searched the results for the paths in question, I quickly found a bunch of omitted policies from the data I was provided (as expected), but I also found a number of other hits that needed to be modified as well. Some were updated, and (better yet) some were evaluated and removed as they are no longer necessary!

The Update Process Is Still Manual, Though

Unfortunately, I still had to go edit each of the matching policies manually; however, having a targeted scope made that process a lot simpler than hunting around for matches. As a bonus, I was able to easily re-run the export after I made the changes to verify I'd not missed anything!

Even though the edits took time and were fiddly, thanks to these built-in Powershell cmdlets I quickly created a scope of work/touch points and verified my work without having to do any manual comparison or direct skimming/reading. Since this is a rare and one-off change, having a simple way to do those parts saved a bunch of effort and let me get back to normal projects.