Searching for GPOs

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

GPMC provides extensive capabilities to search for GPOs within a domain or across all domains shown in a forest. This search feature allows you to search for GPOs based on:

  • Display name of the GPO.

  • Whether or not a specific domain contains links to the GPO.

  • The permissions set on the GPO.

  • The WMI filter that is linked to the GPO.

  • The type of policy settings that have been set in the User Configuration or Computer Configuration in the GPO, such as folder redirection or security settings. Note that you cannot search based on the individual settings configured in a GPO.

  • GUID of the GPO.

Figure 24 shows the GPO Search dialog box.

592aebd5-8605-4eb1-9d6d-91a84b1e3bbb

Figure 24

The GPO search by name and by GUID functions allow the user to search for a GPO by the GPO display name or by GUID associated with the GPO. The search by User Configuration or Computer Configuration allows the user to find GPOs that contain certain types of Group Policy settings. Refer to Table 3 for a list of the Group Policy settings allowed in this search feature.

The search by security group feature allows the user to find GPOs that have certain permissions applied to them. You can search for GPOs that either explicitly have these permissions (or explicitly do not have these permissions) or that have these permissions effectively applied to them (or not). An explicit permission on a GPO means the security principal is directly referenced in the ACL on the GPO. An effective permission means the security principal has permissions on the GPO either as the result of an explicit ACE, or because of its group membership. These factors combine to give a security principal the merged or effective set of permissions they have on the GPO.

Searching by GPO-Link allows the user to find unlinked or cross-domain linked GPOs. For example, if you are searching for GPOs in a given domain and you perform a search where GPO links do NOT exist in that domain, this search type will return the list of unlinked GPOs.

Searching by GPOs that link to a WMI filter allows the user to find all GPOs that link to a specified WMI filter.

Table 3 summarizes the GPO search actions and how they can be used.

Table 3

Search Item Search Condition Value

GPO name

Contains

Does not Contain

Is Exactly

GPO Display name

GPO-Link

Exist in

Does not Exist in

Domain name(s)

[All Sites]

Security Group

Has this explicit permission

Does not have this explicit permission

Has this effective permission

Does not have this effective permission

Apply Settings

Edit Settings

Edit Settings, Delete, Modify Security

Read Settings

Linked WMI filter

Is

Is not

WMI Filter name

User Configuration

Contains

Does not Contain

Folder Redirection

Internet Explorer Branding

Registry

Scripts

Software Installation

Computer Configuration

Contains

Does not Contain

EFS Recovery

IP Security

Microsoft Disk Quota

QoS Packet Scheduler

Registry

Scripts

Security

Software Installation

Wireless Group Policy

GPO GUID

Equals

GUID

Note

When searching based on user or computer configuration, if a setting is enabled, and then all the settings in that extension are removed, there can be false-positive search for certain types of settings. This happens because the GPO has the extension listed as active. The extensions with this behavior are Security Settings, Software Installation, Folder Redirection, Internet Explorer Maintenance, and Encrypting File System (EFS).