Get-AppLockerPolicy
Applies To: Windows 7, Windows Server 2008 R2
This topic for the IT professional describes how to use Windows PowerShell to retrieve an AppLocker policy from a Group Policy object (GPO) or to discover the effect of an implemented AppLocker policy in Windows Server 2008 R2 and Windows 7.
The Get-AppLockerPolicy cmdlet gets the AppLocker policy from the local GPO, from a specified GPO, or from the effective AppLocker policy on the computer. The output of the AppLocker policy is an AppLockerPolicy object or an XML-formatted string.
Syntax
Get-AppLockerPolicy -Local <Boolean> [-XML <Boolean>] [<CommonParameters>]
Get-AppLockerPolicy -Domain <Boolean> -LDAP <String> [-XML <Boolean>] [<CommonParameters>]
Get-AppLockerPolicy -Effective <Boolean> [-XML <Boolean>] [<CommonParameters>]
Parameters
Parameter | Description |
---|---|
Local <Boolean> |
Gets the AppLocker policy from the local GPO. |
Domain <Boolean> |
Gets the AppLocker policy from the GPO that is specified by the path in the LDAP parameter. |
Effective <Boolean> |
Gets the effective AppLocker policy on the local computer. The effective policy is the combination of the local AppLocker policy and any applied domain policies on the local computer. |
LDAP <String> |
Specifies the Lightweight Directory Access Protocol (LDAP) path of the GPO. Must specify a unique GPO. |
XML <Boolean> |
Specifies the output of the AppLocker policy as an XML-formatted string. |
Examples
Gets the local AppLocker policy as an AppLockerPolicy object.
C:\PS>Get-AppLockerPolicy -Local
Gets the AppLocker policy of the unique GPO specified by the LDAP path as an AppLockerPolicy object.
C:\PS>Get-AppLockerPolicy -Domain -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Polices,CN=System,DC=Contoso,DC=com"
Gets the effective policy on the computer, and then sends it in XML format to the specified file.
C:\PS>Get-AppLockerPolicy -Effective -XML > C:\temp\Effective.xml
Gets the effective policy on the computer, and then uses the Test-AppLockerPolicy cmdlet to determine whether members of the Everyone group will be allowed to run the executable files in C:\Windows\System32.
C:\PS>Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path C:\Windows\System32\*.exe -User Everyone