We all know that there is a simple way to document GPOs, just right click the GPO and select “Save Report” which will create an HTML file but those can be a little hard to understand and don’t include all of the data such as what individual settings do. An alternative is to use the Microsoft Security Compliance Manager (SCM). Version 3.0 is now available for download from http://technet.microsoft.com/en-gb/solutionaccelerators/cc835245.aspx.
By default, SCM imports baselines for the following products:
Hopefully Microsoft will release the baseline packs for 2012 R2, Windows 8.1, Exchange 2013 and SQL at some point but that doesn’t necessarily prevent the tool being used for documenting most standard settings.
To document the settings, backup your GPO in the usual way and then use the “Import a Group Policy Backup” link in the “Get Information” section.
Browse to where you have your backup GPO
Select a name for the “baseline” or GPO settings and click on OK
Your settings will now be shown as an imported GPO
You can click on the Excel link to export the settings to Excel
Choose to enable the content in the excel spreadsheet created
You will now have your settings in Excel format together with an explanation of each setting and, where covered by the built in security baseline information, details of any vulnerabilities that the setting may address, counter measures that can be deployed to overcome that vulnerability and any impact that setting of the GPO value may cause.
NOTE: Click on the image below to see the level of detail provided for each setting.
Obviously this is a bit more long winded than simply exporting a report but I hope that you can also see how this does provide far more information around what has been configured and, as it is in Excel, enables you to add a further column with an explanation as to why each setting has been configured.
2 thoughts on “Documenting Group Policy Objects”
I tried this method but it is only showing unique items for some reason. Most of the items in the GPO’s are not listed in the Spread sheet which is not very good for documentation
Good article Philip. You might be interested in knowing that our company has created a tool which automatically documents group policy objects. It includes item comparison and PDF output.
I hope it’s ok to share a link to it here: Group Policy documentation tool
There is a free version for small networks.