This module read the content of ADMX and ADML files. It instantiate object with GPOTools* classes. You can search a policy parameter with PowerShell functions and find the registry key.
Authored by NicolasBn
What do we want for the first version ? Checklist :
- Have the simpliest policies with thier key
- Check if the simpliest policies are configured
- Cover a minimum of code with pester test
- Have a CI
- ...
What do we want in futures versions ?
- Read the content of .pol file to compare with ADMX content and determine the configured paramter in .pol file. Possibility with the GPRegistryPolicy module.
- Have a provider to explore the parameters like than gpedit.msc
- Experiment the module to compare hundred GPO in .pol files
- Have a provider to explorer the domain GPO
- Transaction compatibility for to easy rollback
- Warn the user when the parameter is not compatible with de target system
- Better speed the initialization of admx/adml (multi runspace ?)
Another ideas are welcome.
The easiest way to get PSGPOTools is using the PowerShell Gallery!
Best practice is that you inspect modules prior to installing them. You can do this by saving the module to a local path:
PS> Save-Module -Name PSGPOTools -Path <path> -AllowPrerelease
Once you trust a module, you can install it using:
PS> Install-Module -Name PSGPOTools -AllowPrerelease
Once installed from the PowerShell Gallery, you can update it using:
PS> Update-Module -Name PSGPOTools -AllowPrerelease
To uninstall PSGPOTools:
PS> Uninstall-Module -Name PSGPOTools
After the installation with the PowerShellGallery, import the module with Import-Module cmdlet. At the first, you need to use the Initialize-PSGPOAdmx. This command will read the default admx/adml files present in your system. After that, it creates and stocks the objets in static properties of [GPOToolsUtility] class.
Import-Module PSGPOTools
# Initialization of ADMX and ADML files
Initialize-PSGPOAdmx -UICulture 'en-US'
WARNING: No dependancy file found for Microsoft.Policies.Server target in C:\WINDOWS\PolicyDefinitions\ServerManager.admx ADMX file
WARNING: No dependancy file found for Microsoft.Policies.Backup target in C:\WINDOWS\PolicyDefinitions\WindowsBackup.admx ADMX file
WARNING: No dependancy file found for Microsoft.Policies.Server target in C:\WINDOWS\PolicyDefinitions\WindowsBackup.admx ADMX file
Then, to read the static properties of GPOToolsUtility Class, use those commands :
# The policies :
Get-PSGPOPolicy
Path : Machine\Windows Components\ActiveX Installer Service\
Name : Approved Installation Sites for ActiveX Controls
DisplayName : Approved Installation Sites for ActiveX Controls
Description : This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator
can create a list of approved Activex Install sites specified by host URL.
If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.
If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.
Note: Wild card characters cannot be used when specifying the host URLs.
ID : ApprovedActiveXInstallSites
Registry : GPOToolsRegistry
Scope : Machine
FileName : ActiveXInstallService.admx
Path : Machine\Windows Components\ActiveX Installer Service\
Name : Establish ActiveX installation policy for sites in Trusted zones
DisplayName : Establish ActiveX installation policy for sites in Trusted zones
Description : This policy setting controls the installation of ActiveX controls for sites in Trusted zone.
If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting.
If you disable or do not configure this policy setting, ActiveX controls prompt the user before installation.
If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server
certificate that passes all validation criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate errors that you want to ignore.
Note: This policy setting applies to all sites in Trusted zones.
ID : AxISURLZonePolicies
Registry : GPOToolsRegistry
Scope : Machine
FileName : ActiveXInstallService.admx
Path : User\Control Panel\Add or Remove Programs\
Name : Specify default category for Add New Programs
DisplayName : Specify default category for Add New Programs
Description : Specifies the category of programs that appears when users open the "Add New Programs" page.
If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. Users can use the Category box on the "Add New Programs" page to display
programs in other categories.
To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software
Installation.
If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens.
You can use this setting to direct users to the programs they are most likely to need.
Note: This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled.
ID : DefaultCategory
Registry : GPOToolsRegistry
Scope : User
FileName : AddRemovePrograms.admx
Path : User\Control Panel\Add or Remove Programs\
Name : Hide the "Add a program from CD-ROM or floppy disk" option
DisplayName : Hide the "Add a program from CD-ROM or floppy disk" option
Description : Removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media.
If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users.
This setting does not prevent users from using other tools and methods to add or remove program components.
Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative
Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting.
ID : NoAddFromCDorFloppy
Registry : GPOToolsRegistry
Scope : User
FileName : AddRemovePrograms.admx
...
# The Categories :
Get-PSGPOCategory
Name DisplayName ExplainText
---- ----------- -----------
System System Allows configuration of various system component settings.
InternetManagement Internet Communication Management
Troubleshooting Troubleshooting and Diagnostics
InternetManagement_Settings Internet Communication settings
WindowsComponents Windows Components Contains settings for operating system components.
WindowsExplorer File Explorer Manages File Explorer settings. These include shell properties, folder options, file menus, and avail...
TabletPC Tablet PC
DataCollectionAndPreviewBuilds Data Collection and Preview Builds
Network Network Allows configuration of components of the operating syst
...
#The SupportedOn :
Get-PSGPOSupportedOn
Name DisplayName
---- -----------
SUPPORTED_Win2KWithWindowsInstaller20 Windows 2000 with Windows Installer v2
SUPPORTED_WindowsPreVistaWithWindowsSearch Windows Server 2003 or Windows XP with Windows Search installed
SUPPORTED_AllowWebPrinting Windows 2000 or later, running IIS. Not supported on Windows Server 2003.
SUPPORTED_IE6SP1 At least Internet Explorer 6 Service Pack 1
SUPPORTED_Win2k At least Windows 2000
SUPPORTED_Win2kOnly Windows 2000 only
SUPPORTED_Win2kSP1 At least Windows 2000 Service Pack 1
SUPPORTED_Win2kSP3 At least Windows 2000 Service Pack 3
...
You want to see if the parameter is configured in your system ?
$Pol = Get-PSGPOPolicy
$Pol[0]
Path : Machine\Composants Windows\Service d’installation ActiveX\
Name : Sites d’installation approuvés pour les contrôles ActiveX
DisplayName : Sites d’installation approuvés pour les contrôles ActiveX
Description : Ce paramètre de stratégie détermine quels sites d’installation ActiveX les utilisateurs standard de votre organisation peuvent utiliser pour installer des contrôles ActiveX
sur leur ordinateur. Lorsque ce paramètre est activé, l’administrateur peut créer une liste des sites d’installation ActiveX approuvés spécifiés par l’URL hôte.
Si vous activez ce paramètre, l’administrateur peut créer une liste des sites d’installation ActiveX approuvés spécifiés par l’URL hôte.
Si vous désactivez ou ne configurez pas ce paramètre de stratégie, les contrôles ActiveX invitent l’utilisateur à spécifier des informations d’identification d’administration
avant l’installation.
Remarque : vous ne pouvez pas utiliser de caractères génériques pour indiquer des URL hôtes.
ID : ApprovedActiveXInstallSites
Registry : GPOToolsRegistry
Scope : Machine
FileName : ActiveXInstallService.admx
$Pol[0].GetPolicyState()
NotConfigured
You want to see the registry key ?
$Pol[0].Registry
You need to search a particular parameter by the registry key :
Get-PSGPOPolicy | ? {$_.Registry.Path -like "*SOFTWARE\Policies\Microsoft\Windows Defender" -and $_.Registry.Key -like 'DisableAntispyware'}
Path : Machine\Windows Components\Windows Defender Antivirus\
Name : Turn off Windows Defender Antivirus
DisplayName : Turn off Windows Defender Antivirus
Description : This policy setting turns off Windows Defender Antivirus.
If you enable this policy setting, Windows Defender Antivirus does not run, and will not scan computers for
malware or other potentially unwanted software.
If you disable this policy setting, Windows Defender Antivirus will run regardless of any other installed
antivirus product.
If you do not configure this policy setting, Windows will internally manage Windows Defender Antivirus. If you
install another antivirus program, Windows automatically disables Windows Defender Antivirus. Otherwise, Windows
Defender Antivirus will scan your computers for malware and other potentially unwanted software.
Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended that you leave
this policy setting unconfigured.
ID : DisableAntiSpywareDefender
Registry : GPOToolsRegistry
Scope : Machine
FileName : WindowsDefender.admx
Interested in contributing? Read how you can Contribute to PSGPOTool
This project maintains a Code of Conduct that establishes how the project is governed and how everyone involved is expected to behave. You can report unacceptable behavior to [email protected].
A detailed release history is contained in the Change Log.
PSGPOTools is provided under the MIT license.