Policy Analyzer is a tool released a couple of years ago that allows an administrator to easily compare two or more GPOs to find the differences between them. It's a little clunky to use for quick troubleshooting, but for in-depth GPO work, this is a great tool for helping review and organize GPOs. Here, we'll walk through how to get started and interpret the results.
Get Set Up
To get started, download the Policy Analyzer tool from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=55319. This download points to the Microsoft Security Compliance Toolkit, which Policy Analyzer is a part of. On the download page, you can opt to only download "PolicyAnalyzer.zip" which is the only file we need. Once that's downloaded, copy it up to a server in the environment you are working on. It can either be a DC or a member server with the Group Policy console installed. From there, unzip the file and run PolicyAnalyzer.exe
To compare GPOs, we must first back them up to a folder on the local server. To do so:
- Open the Group Policy Management Console
- Expand the OUs or Group Policy Objects container to find the GPOs you want to compare
- Right click the first GPO and select "Back up…"
- Enter a path to save the backup to. Ensure the folder you select doesn't contain any other GPO backups, or the Policy Analyzer may have trouble importing them.
- Press the "Back Up" button
- Repeat steps 2-5 for each GPO you want to compare, ensuring you create a separate folder to store each GPO backup like in the structure below. Note that the GUID folder is created automatically by the backup, but the friendly folders (STIG 2012 R2 DC and Member Server) were created manually:
Importing the GPOs to Policy Analyzer
Before you can compare the GPOs, they must be imported into the Policy Analyzer tool. This process reads the GPO backup you created and creates a policy definition file that the tool can use.
- In Policy Analyzer, click the "Add…" button
- In the popup, click File, then "Add Files from GPO(s)…"
- Browse to and select the folder where you saved the backup
- The importer tool will show the different types of settings detected
- Click the "Import…" button
- Save the policy rule definition file to the default folder, giving it a meaningful name
- Repeat steps 1-7 for each GPO that you backed up previously
Comparing the GPOs
With everything prepared, we can now actually compare 2 or more GPOs. In the main Policy Analyzer window, select the GPOs you want to compare, and click the "View / Compare" button. You'll get a pop up with all the defined settings and what they are set to in each of the GPOs you are comparing. Gray cells indicate that setting isn't configured in that policy, while yellow cells indicate values that conflict between the GPOs that are being compared. To find where each GPO option is configured, click the row in the table, and the Policy Path in the bottom detail window shows the path to the GPO option.
Exporting to Excel
If you have Excel installed on the computer you are running Policy Analyzer on, you can use the Export > "Export Table to Excel" feature to save the data to an Excel workbook. Since you probably don't have Excel installed on your DCs, you can run Policy Analyzer locally on your workstation. To do so, copy the GPO backup folders to your computer after backing them up in the Group Policy Console on the server, and then import them into Policy Analyzer on your local PC. That will allow you to run the comparison and export the data to Excel for analysis.
This tool is helpful for in-depth analysis of Group Policy to help determine how GPOs in the domain differ from each other. You can use it for basic comparisons of GPOs, comparing custom compliance GPOs to a known-good baseline, or to help guide the consolidation of multiple GPOs.
For more information about Policy Analyzer, see the official documentation.