With the right script, you can use GPA to generate GPO reports.
To write a Visual Basic script or method to generate the GPO Settings report:
In Notepad, create the following script:
dim x
set x = CreateObject("GPExplorer.PolicyManager.1")
REM ***** GenerateReport(GPO LDAP path, output file path, options)
x.GenerateReport("LDAP://DomainController/CN={GUID},CN=Policies, CN=System,DC=DistinguishedDomainName","OutputFile",Options)
set x = nothing
or
Create the following C# method:
public static void GenerateGPOReportAD()
{
string sGPOPath = "LDAP://DomainController/CN={GUID},CN=Policies,CN=System,DC=DistinguishedDomainName";
string sPath = "OutputFile";
long sOptions = 0;
IfaExplorerRoot oEXPRroot = new PolicyManager();
oEXPRroot.GenerateReport(sGPOPath, sPath, sOptions);
Console.WriteLine("AD GPO report generated successfully");
Console.ReadKey();
}Modify the variables. To obtain the LDAP path of the GPO (“LDAP... DomainName”), use the ADSI Edit tool. If the ADSI Edit tool is not available, substitute the following information:
Type the name of the primary domain controller of the domain. Provide the full computer name, which has the actual computer name along with the domain to which it belongs. You can find the full name on the Network Identification tab of the Property page of My Computer.
Type the GUID number that corresponds to the GPO you want to report on.
Type the distinguished name format of the domain to which the GPO belongs.
Type the path and the name of the file for the output report.
Type 0 to specify the GPO Settings report.
When you are finished, your script should look similar to the following example:
REM ***********************************************************
dim x
set x = CreateObject("GPExplorer.PolicyManager.1")
REM ***** GenerateReport(GPO LDAP path, output file path, options)
x.GenerateReport "LDAP://devel-child.child-domain.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies,CN=System,DC=child-domain,DC=com","E:\GPO Backups\Backup Scripts\Reports\Report.htm",0
set x = nothing
Wscript.Echo "Report Generation Completed"
REM ***********************************************************
or
Your C# method should look similar to the following example:
public static void GenerateGPOReportAD()
{
string sGPOPath = "LDAP://MYDOMAIN.LAB/CN={04835D24-7FAC-4B7B-B677-419E598593B0},CN=Policies,CN=System,DC=MYDOMAIN,DC=LAB";
string sPath = "C://Folder/ADGPOReport.htm";
long sOptions = 0;
IfaExplorerRoot oEXPRroot = new PolicyManager();
oEXPRroot.GenerateReport(sGPOPath, sPath, sOptions);
Console.WriteLine("AD GPO Report generated successfully");
Console.ReadKey();
}To generate reports of multiple GPOs, copy the x.GenerateReport line, for Visual Basic scripts, and the sGPOPath line, for C# methods, as many times as necessary, modifying ONLY the GUID for each GPO to include in the report.
Save the file with any suitable name, and an extension of .vbs for Visual Basic scripts, to the location of your choice (for example, ReportGPOs.vbs), or compile the solution, then execute the executable build.
To write a Visual Basic script or method to generate the Health Check report:
In Notepad, create the following script:
dim x
set x = CreateObject("GPExplorer.PolicyManager.1")
x.ConnectTo ("ConnectionString")
REM ***** GenerateReport(GPO LDAP path, output file path, options)
x.GenerateReport("LDAP://DomainController/CN={GUID},CN=Policies, CN=System,DC=DistinguishedDomainName","OutputFile",Options)
set x = nothing
or
Create the following C# method:
public static void GenerateHealthCheckReport()
{
string sGPOPath = "LDAP://DomainController/CN={GUID},CN=Policies,CN=System,DC=DistinguishedDomainName";
string sPath = "OutputFile";
long sOptions = 1;
IfaExplorerRoot oEXPRroot = new PolicyManager();
oEXPRroot.ConnectTo("ConnectionString");
oEXPRroot.GenerateReport(sGPOPath, sPath, sOptions);
Console.WriteLine("Health Check report generated successfully");
Console.ReadKey();
}If you are using a script, modify the x.ConnectTo line.
or
If you are using a method, modify the oEXPRroot.ConnectTo line.
For more information about obtaining the ConnectionString, see Section 5.2.1, Connecting to a GP Repository.
Modify the variables. To obtain the LDAP path of the GPO (“LDAP... DomainName”), use the ADSI Edit tool. If the ADSI Edit tool is not available, substitute the following information:
Type the name of the primary domain controller of the domain. Provide the full computer name, which has the actual computer name along with the domain to which it belongs. You can find the full name on the Network Identification tab of the Property page of My Computer.
Type the GUID number that corresponds to the GPO you want to report on.
Type the distinguished name format of the domain to which the GPO belongs.
Type the path and the name of the file for the output report.
Type 1 to specify the Health Check report.
When you are finished, your script should look similar to the following example:
REM ***********************************************************
On Error Resume Next
set x = CreateObject("GPExplorer.PolicyManager.1")
x.ConnectTo ("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;")
REM ***** GenerateReport(GPO LDAP path, output file path, options)
x.GenerateReport "LDAP://devel-child.child-domain.com/CN={FA586CE5-9C2C-47BE-86AD-1618E183537D},CN=Policies,CN=System,DC=child-domain,DC=com","E:\GPO backups\Backup Scripts\Reports\HCReport.htm",1
set x = nothing
Wscript.Echo "Report Generation Completed"
REM ***********************************************************
or
Your C# method should look similar to the following example:
public static void GenerateHealthCheckReport()
{
string sGPOPath = "LDAP://MYDOMAIN.LAB/CN={04835D24-7FAC-4B7B-B677-419E598593B0},CN=Policies,CN=System,DC=MYDOMAIN,DC=LAB";
string sPath = "C://Folder/HealthCheckReport.htm";
long sOptions = 1;
IfaExplorerRoot oEXPRroot = new PolicyManager();
oEXPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
oEXPRroot.GenerateReport(sGPOPath, sPath, sOptions);
Console.WriteLine("Health Check Report generated successfully");
Console.ReadKey();
}To generate reports of multiple GPOs, copy the x.GenerateReport line, for Visual Basic scripts, or the sGPOPath line, for C# methods, as many times as necessary, modifying ONLY the GUID for each GPO to include in the report.
Save the file with any suitable name, and an extension of .vbs for Visual Basic scripts, to the location of your choice (for example, HCReport.vbs), or compile the solution, then execute the executable build.
The Enterprise Consistency Check report can take time to run. You can run the run the report at a later time by using the NqGpoCompare.exe command-line utility with the Microsoft Windows Task Scheduler.
To run the report, create an .xml report configuration file with the Enterprise Consistency Check wizard, and then run the report at a time that is convenient for you by using the NqGpoCompare.exe command-line utility. You can run the report using either of the following methods:
Run NqGpoCompare.exe, located by default in the C:\Program Files\NetIQ\Group Policy Administrator\Tools folder.
Create a batch file specifying the NqGpoCompare.exe file and command‑line parameters and schedule the batch file to run at a later time using the Microsoft Windows Task Scheduler.
For more information about using the Microsoft Windows Task Scheduler, see the Microsoft Windows documentation. For more information about creating the .xml report configuration file, see Section 7.5.1, Running the Enterprise Consistency Check Report with the Wizard.
To run the NqGpoCompare utility, you must be logged on as a member of the GPA_REPOSITORY_MANAGEMENT group. For more information about GPA security, see Section 4.1, Understanding the GPA User Security Model.
NqGpoCompare.exe {[/Overwrite] [/SQLConnStr:"<SQLConnectionString>" |
/RepServer:<SQLServerName> /RepDB:<RepositoryDBName>
[/SQLUser:<SQLLoginName>] [/SQLPwd:*|<SQLUserPassword>]]
<DomainList.xml> <ReportPath.htm>} | [/?|/Help]
To display help for the command, type:
NqGpoCompare /Help
The following list defines the input parameter options available for the NqGpoCompare utility.
Overwrites an existing HTML file or terminates the report if the file already exists.
Full SQL Server connection string to the GP Repository, in double quotes. Used instead of the other SQL Server parameters.
Name of the GP Repository Microsoft SQL Server. Not needed if provided in the report configuration .xml file and will take precedence over the report configuration file if specified.
Name of the GP Repository database on the Microsoft SQL Server. Not needed if provided in the report configuration .xml file and will take precedence over the report configuration file if specified.
If present, SQL Server authentication is used with this SQL Server logon name.
Password for the SQL Server logon account specified with /SQLUser. If /SQLUser is specified but not /SQLPwd, or the specified password is "*", then NqGpoCompare.exe prompts for the password on the command line.
Path and filename of the .xml report configuration file that specifies the master and comparison GPOs. Use double quotes if the path or filename contains spaces.
Path and filename of the .htm report file. Use double quotes if the path or filename contains spaces.
Displays the usage statement.
If you want to supply a parameter value that contains spaces, such as the file name GPO Compare October 2010.html, place quotation marks around the value. For example, type "GPO Compare October 2010.html".
To create an Enterprise Consistency Check report from an .xml file, overwriting the report file if it exists, connect to the GP Repository using a SQL Server connection string:
NqGpoCompare /overwrite /SQLConnStr:"DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;"
"c:\GPOComparisonReports\October_08.xml"
"c:\GPOComparisonReports\GPO Compare September 2010.html"
To create a batch file to submit to Microsoft Windows Task Scheduler to create an Enterprise Consistency Check report from an .xml file, connect to the GP Repository using SQL Server authentication:
Create a text file using a tool such as Notepad.
Type the following command in the file:
NqGpoCompare /RepServer:mysqlserver /RepDB:GPO_REPOSITORY /SQLUser:myusername /SQLPwd:mypassword! "c:\GPOComparisonReports\20100920_30.xml" "c:\GPOComparisonReports\GPO Compare October 2010.html"
Save the file.
Schedule the batch file to run using Microsoft Windows Task Scheduler. For more information, see the Microsoft Windows documentation.
GPA installs the utility in the following folder by default:
\installDir\Tools
The Point in Time Analysis and Activity Report identifies when a particular action was performed on a GPO and who performed it. Use this report to track changes related to GPO approval and export or to identify the changes between two versions of the same GPO.
To run the Point in Time Analysis and Activity Report, you must be logged in as a member of the GPA_REPOSITORY_MANAGEMENT group and have local administrator permissions. For more information about GPA security, see Section 4.1, Understanding the GPA User Security Model.
Using or scheduling this utility to run periodically lets you quickly create audit‑tracking records of GPO changes. For more information, see Section A.4.3, Generating the Enterprise Consistency Check Report Using Scripts.
GPA installs the utility in the following folder by default:
\installDir\Bin
To display help for the command, type:
ActivityReport /?
ActivityReport [/file:OutputFileName] [/type:[Export|Approve]] [/start:StartDate] [/end:EndDate] [/domain:DomainName] [/user:UserName] [/SQLConnstr:"SQLConnString"]
The following list defines the input parameter options available for the ActivityReport utility:
Specifies the path and name of the HTML file in which to store the report results. By default, the utility stores the file in the current folder in the file named ActivityReport.html.
Specifies whether to include information about all exported GPOs or to include information only about GPOs approved for export. The default value reports on all exported GPOs.
Specifies the start date for the report in mm/dd/yyyy format. See the examples following the list.
Specifies the end date for the report in mm/dd/yyyy format. See the examples following the list.
Specifies the name of one domain to audit for GPA activity. By default, the utility collects activity about all domains. Specify the domain by DNS name.
Specifies the name of one user to audit for GPA activity. By default, the utility collects activity about all users. Specify the user by Domain\User.
Specifies the SQL Server connection string to use when connecting to the GP Repository.
If you want to supply a parameter value that contains spaces, such as the file name September Activity Report.html, place quotation marks around the value. For example, to specify the sample file name, type "September Activity Report.html".
To create Point in Time Analysis and Activity Report file named 20100920_30.html that lists information about all GPOs exported between 9/20/2010 and 9/30/2010:
ActivityReport /file:c:\GPA_Reports\20100920_30.html /start:9/20/10 /end:9/30/10
To create Point in Time Analysis and Activity Report for all GPOs approved for the TestDom1 domain by user Admin1GPA in a month:
ActivityReport /file:c:\GPA_Reports\Admin1GPA_Approved092010.html /type:Approve /start:9/01/10 /end:9/30/10 /domain:TestDom1 /user:Admin1GPA
To create Point in Time Analysis and Activity Report for all GPOs approved for the TestDom1 domain by user Admin1GPA in a month and use Microsoft Windows Authentication in the SQL Server connection string:
ActivityReport /file:c:\GPA_Reports\Admin1GPA_Approved092010.html /type:Approve /start:9/01/10 /end:9/30/10 /domain:TestDom1 /user:Admin1GPA /SQLConnStr:"Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=%SERVERNAME%;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=%LOCALCOMPNAME%;Use Encryption for Data=False;Tag with column collation when possible=False"
To create Point in Time Analysis and Activity Report for all GPOs approved for the TestDom1 domain by user Admin1GPA in a month using SQL Server Authentication in the SQL Server connection string:
ActivityReport /file:c:\GPA_Reports\Admin1GPA_Approved092010.html /type:Approve /start:9/01/10 /end:9/30/10 /domain:TestDom1 /user:Admin1GPA /details:Difference /overwrite:No /SQLConnStr:"Provider=SQLOLEDB.1;Password="[Your Password]";User ID=sa;Initial Catalog=GPO_REPOSITORY;Data Source=%SERVERNAME%;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=%LOCALCOMPNAME%;Use Encryption for Data=False;Tag with column collation when possible=False"