Active Directory GPO Reports

    All GPOs Report

    This provides the list of all Group Policy Objects present in the Active Directory.

    How it works : The report is generated by querying the LDAP for all objectClass set to groupPolicyContainer i.e. "objectClass=groupPolicyContainer

    To view the report, Click Reports → GPO Reports → All GPOs and Linked objects → Select domain and click generate

    Recently created GPOs Report

    This provides the list of Group Policy Objects and Active directory objects linked to it, that are recently created in the past "n" days.

    How it works: The report is generated by querying the LDAP for createTimeStamp set to more than or equal to SpecifiedTime i.e. "createTimeStamp>=SpecifiedTime".

    To view the report, select the domain, enter the number of days and click Generate.

    Recently modified GPOs Report

    This provides the list of Group Policy Objects and Active directory objects linked to it, that are recently modified in the past "n" days.

    How it works : The report is generated by querying the LDAP for modifyTimeStamp set to more than or equal to SpecifiedTime i.e. "modifyTimeStamp>=SpecifiedTime".

    To view the report, select the domain, enter the number of days and click Generate.

    Frequently modified computer settings GPOs Report

    This provides the list of Group Policy Objects with frequently modified computer settings.

    How it works : The report is generated by querying the LDAP for attribute versionNumber; as the computer settings are modified the version number also changes.

    To view the report, select the domain, enter the number of GPOs and click Generate.

    Frequently Modified user Settings GPOs Report

    This provides the list of Group Policy Objects with frequently modified user settings.

    How it works : The report is generated by querying the LDAP for attribute versionNumber; as the user settings are modified the version number also changes.

    To view the report, select the domain, enter the number of GPOs and click Generate.

    Frequently modified GPOs Report

    This provides the list of Group Policy Objects that are frequently modified.

    How it works : The report is generated by querying the LDAP for attribute versionNumber; as the computer settings are modified the version number also changes.

    To view the report, select the domain, enter the number of GPOs and click Generate.

    GPO blocked inheritance container Report

    This report lists all the objects (Domains/Sites/OUs) for which inheritance of GPO settings has been blocked.

    To view the report, select the domain and click Generate.

    GPOs with script report

    This report provides a list of all GPOs in which at least one among the logon, log off, start up and shut down scripts are configured.

    How it works: The report is generated by querying the LDAP for all objectClass set to groupPolicyContainer i.e. "objectClass=groupPolicyContainer and (|(gPCMachineExtensionNames=*{40B6664F-4972-11D1-A7CA-0000F87571E3}*)(gPCUserExtensionNames=*{40B66650-4972-11D1-A7CA-0000F87571E3}*))

    To view the report, Click Reports → GPO Reports → GPO scope reports → GPOs with Script Report → Select the domain and click Generate.

    Compare GPO versions report

    This report lists the user and computer versions of both Active Directory and SYSVOL of the desired GPOs.

    To view the report, Click Reports → GPO Reports → GPO scope reports → Compare GPO versions report → Select the domain and click Generate.

    Note: Enable the 'Show only inconsistent GPOs' option if you wish to list only the GPOs for which the GPO versions are inconsistent.

    Linked GPOs Report

    This report fetches information on GPOs that are linked to the OUs/sites in a domain.

    How it works: This report is generated by querying the LDAP for the OUs/sites with non-empty "gpLink" attribute.

    To view this report,

    Click Reports → GPO Reports → GPO Scope Reports → Linked GPOs Report → Select the domain and the OUs/Sites and click Generate.

    Direct and Inherited GPO Links Report

    This report fetches information on all the GPOs that are linked directly to the selected OUs and sites, and those that are inherited from the selected OU's parents up to the root domain.

    How it works: This report is generated by querying the LDAP server for the selected OUs or sites with non-empty "gpLink" attributes.

    To view this report:

    1. Navigate to the Reports tab and click GPO Reports.
    2. Under GPO Scope Reports, click Direct and Inherited GPO Links Report.
    3. Select the domain, OUs, and sites whose GPOs you would like to view and click Generate.

    Note: When Block Inheritance is enabled for an OU, this report fetches the inheritance information up to that particular OU. However, when a Group Policy is enforced on the parent, the enforced GPO link will take precedence and will be displayed in the report.

    GPOs Linked To Empty OUs

    This report displays GPOs linked to OUs without any security principals, offering management options such as disabling and removing the links.

    How it works: The report is generated by querying the LDAP for all OUs to which GPOs are linked. The OUs are then inspected to ensure there are no security principals present, either directly or within the nested OUs.

    To view the report:

    • Navigate to Reports > GPO Scope Reports > GPOs Linked To Empty OUs.
    • Select the domain in which you want to execute the report.
    • Click Generate.

    Disabled GPOs Report

    This provides the list of all disabled GPO's. Both the computer configuration and user configuration settings are disabled.

    How it works : The report is generated by querying the LDAP for all objectClass set to groupPolicyContainer and with a flag value 3 i.e. "objectClass=groupPolicyContainer" with flag=3.

    To view the report, select the domain and click Generate.

    Computer settings disabled GPOs Report

    This provides the list of Group Policy Objects with computer settings disabled.

    How it works : The report is generated by querying the LDAP for objectClass set to groupPolicyContainer with a flag value 3 or 2 i.e. "objectClass=groupPolicyContainer" (|(flags=3)(flags=2)).

    To view the report, select the domain and click Generate.

    User settings disabled GPOs Report

    This provides the list of Group Policy Objects with user settings disabled.

    How it works : The report is generated by querying the LDAP for "objectClass" set to groupPolicyContainer with a flag value 3 or 1 i.e. "objectClass=groupPolicyContainer" (|(flags=3)(flags=1)).

    To view the report, select the domain and click Generate.

    Unlinked GPOs Report

    This report fetches the list of GPOs that are not linked to any container in the domain.

    How it works : The report is generated by querying the LDAP for all GPO's that are not linked to any other objects in the domain and reiterating the search to all GPO's.

    To view the report, select the domain and click Generate.

    GPOs with Inactive Policy Settings

    This report lists GPOs with policy settings configured within their disabled user and computer configurations.

    How it works: This report is generated using a PowerShell query.

    To view the report,

    Click Reports → GPO Reports → GPO Status Reports → GPOs with Inactive Policy Settings → Select domain and hit Generate.

    GPO delegation Report

    This report allows you to view the security principals that have access to the selected GPOs and provides details on the security filters.

    How it works: The report is generated by querying LDAP for all the selected GPOs and filtering the required data from the nTSecurityDescriptor attribute, which contains the delegation information.

    To view the report, click Reports → GPO Reports → GPO Status Reports → GPO delegation report → Select the Domain and GPO(s) → click Generate.

    GPO Settings Report

    This report lists all the Administrative Templates, security settings (Account Policies, Local Policies, Event Log, Restricted Groups, System Services, Registry, and File System), and the GPO preference settings (Environment, Files, Folders, Ini Files) for both user and computer configurations made in the selected GPO.

    How it works: This report is generated using a PowerShell query.

    To view the report, go to Reports tab → GPO Reports → GPO Settings Reports → GPO Settings, select the required domain and the GPO whose settings you wish to view, and click Generate.

    Once the report is generated, you can switch between the hierarchical and table views using the options at the top right corner of the report.

    Note: To generate this report, ADManager Plus server will establish a remote PowerShell connection to the selected domain's domain controller, which is configured in its settings. In case the connection fails, the DC will be added to the TrustedHosts list of the server in which ADManager Plus is installed, and the connection will be attempted again. If the connection still fails, the product will contact the next DC in the list of DCs configured in it. This will continue until it can connect to one of the DCs added in the product.

    GPOs with specific settings Report

    This report allows you to view the values of specific Administrative Templates and Security Settings (Account Policies, Local Policies, Event Log, Restricted Groups, System Services, Registry, and File System) in all or selected GPOs.

    How it works: The report is generated by querying all the selected GPOs for the specified settings.

    To view the report, go to the Reports tab → GPO ReportsGPO Settings ReportsGPOs with specific settings. Select the required domain, GPOs, and the settings that you wish to view. Click Generate.

    Empty GPOs

    Use this report to get.

    • A list of empty GPOs from the selected GPOs or
    • A list of all the empty GPOs in the domain.

    To view the report,

    Click Reports → GPO Reports → GPO settings → Empty GPO reports → Select the domain and the GPO and hit Generate.

    Comparison of GPOs

    Use this report to compare the Administrative Templates and security settings (Account Policies, Local Policies, Event Log, Restricted Groups, System Services, Registry, and File System) of different GPOs in your Active Directory. Refine your results using the available filters.

    How it works: This report is generated using a PowerShell query.

    To view the report,

    Click Reports → GPO Reports → GPO Settings → Comparison of GPOs → Select the domain and the GPOs that you wish to compare and click Generate.

    Resultant Set of Policy Report

    This report fetches the Administrative Template Policy and Security Settings (Account Policies, Local Policies, Event Log, Restricted Groups, System Services, Registry, and File System) applied on the selected user and computer.

    How it works: This report is generated using a PowerShell Query.

    To view this report,

    Navigate to Reports tab → GPO Reports → GPO Settings Reports → Resultant Set of Policy → Select the desired domain, computer and user whose policy settings you wish to view → Check the Display User Settings and/or Display Computer Settings options to view both/either of the settings and hit Generate.

    Note: This report can only be generated when the domain credentials are configured in the Domain Settings.

    GPO Modeling Report

    The GPO modeling report in ManageEngine ADManager Plus simulates the possible Administrative Template and Security Settings (Account Policies, Local Policies, Event Log, Restricted Groups, System Services, Registry, and File System) that will be applied on the selected user and computer.

    How it works: This report is generated using a PowerShell query.

    To generate this report:

    1. Log in to ADManager Plus and navigate to the Reports tab.
    2. In the left pane, click GPO Reports.
    3. Under GPO Settings Reports, click GPO Modeling Report.
    4. Select the desired domain and the user and computer whose settings you'd like to view and click Generate.
    5. Click the Advanced option and select the locations, sites and security groups of the specified user and computer based on which you'd like to further refine in the search.

    Note: This report can only be generated when the domain credentials are configured in the Domain Settings.

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding