Documenting Group Policy Objects

We all know that there is a simple way to document GPOs, just right click the GPO and select “Save Report” which will create an HTML file but those can be a little hard to understand and don’t include all of the data such as what individual settings do. An alternative is to use the Microsoft Security Compliance Manager (SCM). Version 3.0 is now available for download from http://technet.microsoft.com/en-gb/solutionaccelerators/cc835245.aspx.

By default, SCM imports baselines for the following products:

 

 

Hopefully Microsoft will release the baseline packs for 2012 R2, Windows 8.1, Exchange 2013 and SQL at some point but that doesn’t necessarily prevent the tool being used for documenting most standard settings.

To document the settings, backup your GPO in the usual way and then use the “Import a Group Policy Backup” link in the “Get Information” section.

 

 

Browse to where you have your backup GPO

 

 

Select a name for the “baseline” or GPO settings and click on OK

 

 

Your settings will now be shown as an imported GPO

 

 

You can click on the Excel link to export the settings to Excel

 

 

Choose to enable the content in the excel spreadsheet created

 

 

You will now have your settings in Excel format together with an explanation of each setting and, where covered by the built in security baseline information, details of any vulnerabilities that the setting may address, counter measures that can be deployed to overcome that vulnerability and any impact that setting of the GPO value may cause.

NOTE: Click on the image below to see the level of detail provided for each setting.

 

 

Obviously this is a bit more long winded than simply exporting a report but I hope that you can also see how this does provide far more information around what has been configured and, as it is in Excel, enables you to add a further column with an explanation as to why each setting has been configured.

 

Leave a Reply