Play with group policy, XML and Powershell
Play with group policy, XML and Powershell

I will show you in this post simple examples to get informations on Active Directory group policies using Powershell.

The main cmdlet I will use is the get-gporeport. With this cmdlet, you can export a Group Policy in XML format using the parameter -ReportType XML.

An xml export will look like this :

PS > get-gporeport "Disable NTLMv1" -reportType XML



  
    {13344C57-D948-4F26-A062-556E62AD6636}
    prod.local
  
  Disable NTLMv1
  true
  2019-07-16T11:59:58
  2019-07-16T12:02:42
  2019-07-16T12:14:07.8221894Z
  
    O:S-1-5-21-2732284291-265629277-547561285-519G:S-1-5-21-2732284291-265629277-547561285-519D:PAI(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-2732284291-265629277-547561285-519)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-2732284291-265629277-547561285-519)(A;CI;LCRPLORC;;;ED)(A;CI;LCRPLORC;;;AU)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
    
      S-1-5-21-2732284291-265629277-547561285-519
      PROD\Enterprise Admins
    
    
      S-1-5-21-2732284291-265629277-547561285-519
      PROD\Enterprise Admins
    
    true
    
      false
      
        
          S-1-5-9
          NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
        
        
          Allow
        
        false
        
          true
          false
          true
          false
        
        
          Read
        
        0
      
      
        
          S-1-5-21-2732284291-265629277-547561285-519
          PROD\Enterprise Admins
        
        
          Allow
        
        false
        
          true
          false
          true
          false
        
        
          Edit, delete, modify security
        
        0
      
      
        
          S-1-5-18
          NT AUTHORITY\SYSTEM
        
        
          Allow
        
        false
        
          true
          false
          true
          false
        
        
          Edit, delete, modify security
        
        0
      
      
        
          S-1-5-21-2732284291-265629277-547561285-512
          PROD\Domain Admins
        
        
          Allow
        
        false
        
          true
          false
          true
          false
        
        
          Edit, delete, modify security
        
        0
      
      
        
          S-1-5-11
          NT AUTHORITY\Authenticated Users
        
        
          Allow
        
        false
        
          true
          false
          true
          false
        
        
          Apply Group Policy
        
        0
      
    
    false
  
  true
  
    3
    3
    true
    
      
        
          MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
          5
          
            Network security: LAN Manager authentication level
            
            Send NTLMv2 response only. Refuse LM & NTLM
          
        
        
          MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
          1
          
            Network security: Do not store LAN Manager hash value on next password change
            
            true
          
        
        false
      
      Security
    
  
  
    0
    0
    true
  
  
    prod
    prod.local
    true
    false
  
  
    MyTestOU
    prod.local/MyTestOU
    true
    false
  

____________

The first command will show you how to extract settings in this policy

PS > ([xml](get-gporeport -name "Disable NTLMv1" -ReportType XML)).GPO.Computer.ExtensionData | `
select -ExpandProperty Extension | `
select SecurityOptions | `
select -ExpandProperty *

KeyName                                                           SettingNumber Display
-------                                                           ------------- -------
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel 5             Display
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash             1             Display

The second command will extract the GPO links information

PS > ([xml](get-gporeport -name "Disable NTLMv1" -ReportType XML)).GPO.LinksTo

SOMName  SOMPath             Enabled NoOverride
-------  -------             ------- ----------
prod     prod.local          true    false
MyTestOU prod.local/MyTestOU true    false

Now it is your turn !

Play with group policy, XML and Powershell

Leave a Reply

Your email address will not be published. Required fields are marked *