Export (0) Print
Expand All

Get-AppLockerPolicy

Updated: August 31, 2009

Applies To: Windows 7, Windows Server 2008 R2

This topic for the IT professional describes how to use Windows PowerShell to retrieve an AppLocker policy from a Group Policy object (GPO) or to discover the effect of an implemented AppLocker policy in Windows Server 2008 R2 and Windows 7.

The Get-AppLockerPolicy cmdlet gets the AppLocker policy from the local GPO, from a specified GPO, or from the effective AppLocker policy on the computer. The output of the AppLocker policy is an AppLockerPolicy object or an XML-formatted string.

Syntax

Get-AppLockerPolicy -Local <Boolean> [-XML <Boolean>] [<CommonParameters>]
Get-AppLockerPolicy -Domain <Boolean> -LDAP <String> [-XML <Boolean>] [<CommonParameters>]
Get-AppLockerPolicy -Effective <Boolean> [-XML <Boolean>] [<CommonParameters>]

Parameters

 

Parameter Description

Local <Boolean>

Gets the AppLocker policy from the local GPO.

Domain <Boolean>

Gets the AppLocker policy from the GPO that is specified by the path in the LDAP parameter.

Effective <Boolean>

Gets the effective AppLocker policy on the local computer. The effective policy is the combination of the local AppLocker policy and any applied domain policies on the local computer.

LDAP <String>

Specifies the Lightweight Directory Access Protocol (LDAP) path of the GPO. Must specify a unique GPO.

XML <Boolean>

Specifies the output of the AppLocker policy as an XML-formatted string.

Examples

Gets the local AppLocker policy as an AppLockerPolicy object.

C:\PS>Get-AppLockerPolicy -Local

Gets the AppLocker policy of the unique GPO specified by the LDAP path as an AppLockerPolicy object.

C:\PS>Get-AppLockerPolicy -Domain -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Polices,CN=System,DC=Contoso,DC=com"

Gets the effective policy on the computer, and then sends it in XML format to the specified file.

C:\PS>Get-AppLockerPolicy -Effective -XML > C:\temp\Effective.xml

Gets the effective policy on the computer, and then uses the Test-AppLockerPolicy cmdlet to determine whether members of the Everyone group will be allowed to run the executable files in C:\Windows\System32.

C:\PS>Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path C:\Windows\System32\*.exe -User Everyone
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

Show:
© 2014 Microsoft