One of These GPOs is Not Like the Other

 

 

 

Why is it so difficult to compare GPOs?

 

There are certainly a number of reasons why you’d want to do so. Troubleshooting problems, for example, often starts with the question, “what changed?” and a GPO comparison could answer that. Or, you might be looking to consolidate GPOs, and want to find similar and dissimilar settings across multiple Group Policy objects. Whatever your reasons, the native GPO management tools in Windows just don’t do comparisons very well.

 

Starting with Windows Server 2008 R2 (and also available for Windows 7), the GroupPolicy PowerShell module would seem to offer some hope, but in fact doing a comparison is tricky, as shown by this script (https://gallery.technet.microsoft.com/ScriptCenter/18dea308-4faf-44bf-9e1c-e83d47edb866/) that dumps two GPOs to XML and then compares the XML. You’ll also find that, once you can compare GPOs, you’ll want to do more with that comparison – such as produce change management reports, roll back unwanted changes, and so forth.

 

Third-party tools exist to handle these tasks, but of course they all differ in their capabilities and capacities. Selecting the right tool really requires that you decide why you want to compare GPOs, and what you want to do with the comparisons once you have them.

 

What sorts of tasks would lead you to need a comparison of two or more GPOs?

About the Author