7.4 Comparing and Differentiating GPOs

Determining the similarities and differences between GPOs is often necessary as part of the GPO change and release process. GPA allows you to compare:

Two versions of the same GPO within the GP Repository

Useful for determining what changed from a prior version of the same GPO. For more information, see Reporting on Two Versions of the Same GPO in the GP Repository.

Two distinct GPOs from the same or different GP Repositories

Useful for determining the similarities or differences between two GPOs in the same or two different GP Repositories. You can use either the GP Repository node or the GP Analysis node to make this comparison. For more information, see Reporting on Two Different GPOs in the GP Repository.

A GPO in the GP Repository with the version of the same GPO in Active Directory

Useful for determining if changes have been made in Active Directory to the approved version of a GPO. You can use either the GP Repository node or the GP Analysis node to make this comparison. For more information, see Reporting on a GPO in the GP Repository and the Same GPO in Active Directory.

A GPO in the GP Repository and a different GPO in Active Directory

Useful for determining the similarities or differences between a GPO in Active Directory and a GPO in the GP Repository. Use the GP Analysis node to make this comparison. For more information, see Reporting on a GPO in the GP Repository and a Different GPO in Active Directory.

Indicators in the Status column report the following information:

Indicator

Meaning

S

Content of GPO setting is the same in both versions

D

Content of GPO setting is different between versions

Z

Content of GPO setting is similar in both versions

L

Only GPO on the left of the report contains information

R

Only GPO on the right of the report contains information

The comparison reports contain the same sections and have a layout similar to the GPO Settings Report. For more information, see Section 7.2, Viewing GPO Setting Information. The steps to produce the Group Policy Comparison Report and the Group Policy Differential Report vary depending on the type of comparison you are making.

7.4.1 Understanding Comparison and Differential Reports

The Group Policy Comparison Report and the Group Policy Differential Report may seem similar. Despite their similarities, they have important differences:

  • Group Policy Comparison Reportsdisplay all of the settings in the GPOs being compared and shows which are the same and which are different.

  • Group Policy Differential Reports display only the settings that are different between the GPOs.

Reporting on Two Versions of the Same GPO in the GP Repository

In many cases, you may find it necessary to look at reports on two versions of the same GPO in the GP Repository.

To report on two versions of a GPO within the GP Repository:

  1. In the left pane, expand GP Repository.

  2. Select the domain containing the GPO.

  3. Select the appropriate GPO.

  4. On the Action menu, click View History.

  5. Select one of the versions to be compared and then press Ctrl while selecting the second version.

  6. Click Compare for a Group Policy Comparison Report or click Differentiate for a Group Policy Differential Report.

Reporting on Two Different GPOs in the GP Repository

Using the GP Repository node or GP Analysis node, you can compare the differences or similarities between two different GPOs from the same GP Repository or two different GP Repositories.

From the GP Repository

You can use the GP Repository node to run the report.

To report on two different GPOs from the same or different GP Repositories using the GP Repository node:

  1. In the left pane, expand GP Repository.

  2. Select the domain containing the GPOs you want to compare.

  3. On the Action menu, click Compare GPOs.

  4. In the left pane, select the first GPO to compare.

  5. In the right pane, select the second GPO to compare, either from the same GP Repository or from a different GP Repository.

  6. Click Compare for a Group Policy Comparison Report or click Differentiate for a Group Policy Differential Report.

With the GP Analysis Node

You can use the GP Analysis node to run the report.

To report on two different GPOs from the same or different GP Repositories using the GP Analysis node:

  1. In the left pane, expand GP Analysis and click GPO Comparison.

  2. On the Action menu, click GPO Comparison Wizard.

  3. Read the introduction text, and then click Next.

  4. If you want to run a differential report, select Difference Report.

  5. Under Select First GPO, click Browse.

  6. Select Repository, and then click OK.

  7. Specify the GP Repository containing the first GPO to compare in the SQL Server field and the credentials to connect to the GP Repository, and then click OK.

  8. Expand the domain and category, and then select the first GPO to compare.

  9. Click OK.

  10. Under Select Second GPO, click Browse.

  11. Select Repository, and then click OK.

  12. Specify the GP Repository containing the second GPO to compare in the SQL Server field and the credentials to connect to the GP Repository, and then click OK.

  13. Expand the domain and category, and then select the second GPO to compare.

  14. Click OK.

  15. Click Next, and then click Finish.

Reporting on a GPO in the GP Repository and a Different GPO in Active Directory

This report is useful for determining the similarities or differences between a GPO in Active Directory and a GPO in the GP Repository. You can run this report on the same GPO, or on a different GPO.

To report on a GPO in Active Directory and a GPO in the GP Repository:

  1. In the left pane, expand GP Analysis and click GPO Comparison.

  2. On the Action menu, click GPO Comparison Wizard.

  3. Read the introduction text, and then click Next.

  4. If you want to run a differential report, select Difference Report.

  5. Under Select First GPO, click Browse.

  6. Select Repository.

  7. Specify the GP Repository containing the GPO to compare in the SQL Server field and the credentials to connect to the GP Repository, and then click OK.

  8. Expand the domain and category, and then click the GPO in the GP Repository to compare.

  9. Click OK.

  10. Under Select Second GPO, click Browse.

  11. Select Active Directory of a specific domain.

  12. Click Browse to select a domain, and then click OK.

  13. Click OK.

  14. Select the GPO in Active Directory to compare, and then click OK.

  15. Click Next, and then click Finish.

Reporting on a GPO in the GP Repository and the Same GPO in Active Directory

This report is useful for determining whether the Active Directory version of a GPO still matches the GP Repository version.

NOTE:

  • You can also make this comparison using the GP Analysis node. For more information, see Reporting on a GPO in the GP Repository and a Different GPO in Active Directory.

  • The GPA console disables the Compare AD version and Differentiate AD version options in the Context, Action, and toolbar menus for GPOs in untrusted domains in the GP Repository. However, you can generate these reports from a GPA console installed on a computer joined to the same untrusted domain.

To report on a GPO with versions in the GP Repository and in Active Directory:

  1. In the left pane, expand GP Repository.

  2. Expand the domain containing the GPO.

  3. Expand the category containing the GPO, and then click the GPO.

  4. On the Action menu, click Compare AD version or Differentiate AD version.