Searching for GPOs
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
GPMC provides extensive capabilities to search for GPOs within a domain or across all domains shown in a forest. This search feature allows you to search for GPOs based on:
Display name of the GPO.
Whether or not a specific domain contains links to the GPO.
The permissions set on the GPO.
The WMI filter that is linked to the GPO.
The type of policy settings that have been set in the User Configuration or Computer Configuration in the GPO, such as folder redirection or security settings. Note that you cannot search based on the individual settings configured in a GPO.
GUID of the GPO.
Figure 24 shows the GPO Search dialog box.
Figure 24
The GPO search by name and by GUID functions allow the user to search for a GPO by the GPO display name or by GUID associated with the GPO. The search by User Configuration or Computer Configuration allows the user to find GPOs that contain certain types of Group Policy settings. Refer to Table 3 for a list of the Group Policy settings allowed in this search feature.
The search by security group feature allows the user to find GPOs that have certain permissions applied to them. You can search for GPOs that either explicitly have these permissions (or explicitly do not have these permissions) or that have these permissions effectively applied to them (or not). An explicit permission on a GPO means the security principal is directly referenced in the ACL on the GPO. An effective permission means the security principal has permissions on the GPO either as the result of an explicit ACE, or because of its group membership. These factors combine to give a security principal the merged or effective set of permissions they have on the GPO.
Searching by GPO-Link allows the user to find unlinked or cross-domain linked GPOs. For example, if you are searching for GPOs in a given domain and you perform a search where GPO links do NOT exist in that domain, this search type will return the list of unlinked GPOs.
Searching by GPOs that link to a WMI filter allows the user to find all GPOs that link to a specified WMI filter.
Table 3 summarizes the GPO search actions and how they can be used.
Table 3
Search Item | Search Condition | Value |
---|---|---|
GPO name |
Contains Does not Contain Is Exactly |
GPO Display name |
GPO-Link |
Exist in Does not Exist in |
Domain name(s) [All Sites] |
Security Group |
Has this explicit permission Does not have this explicit permission Has this effective permission Does not have this effective permission |
Apply Settings Edit Settings Edit Settings, Delete, Modify Security Read Settings |
Linked WMI filter |
Is Is not |
WMI Filter name |
User Configuration |
Contains Does not Contain |
Folder Redirection Internet Explorer Branding Registry Scripts Software Installation |
Computer Configuration |
Contains Does not Contain |
EFS Recovery IP Security Microsoft Disk Quota QoS Packet Scheduler Registry Scripts Security Software Installation Wireless Group Policy |
GPO GUID |
Equals |
GUID |
Note
When searching based on user or computer configuration, if a setting is enabled, and then all the settings in that extension are removed, there can be false-positive search for certain types of settings. This happens because the GPO has the extension listed as active. The extensions with this behavior are Security Settings, Software Installation, Folder Redirection, Internet Explorer Maintenance, and Encrypting File System (EFS).