Did you know you can add a comment to a group policy? Did you know you can report on that comment as well. Basically, if you put the purpose and any additional information like security groups, applied to and not to, and so on and so forth, you can document and report on the group policy using PowerShell. Let me show you how.
Commenting Group Policy
There are two ways you can comment group policy, the first is the GUI. The second is through PowerShell. First we will do a comment via the GUI.
The GUI Way
- 300start Group Policy Management Console
- Select the policy object you wish to comment
- Right click and click edit on this policy
- In the navigation plane, right click the policy’s name and select properties
- Click the Comment tab
- Enter your comment
- Apply and Ok.
The PowerShell Way
The command we are going to be using is the get-gpo command. This command allows you to grab the single GPO or all of the GPOs in the company.
Get-GPO -Name "Control Panel Access"
You can see the comment we added to the policy earlier as the description. Why Microsoft hasn’t changed the name on the tab, I will never know. For anyone who is familiar with PowerShell there is no Set-GPO commandlet native to PowerShell. So, it’s time to put our thinking caps on and figure out what we can do. I piped this command into get-member.
Get-GPO -Name "Control Panel Access" | Get-Member
Look what we found. The Description property has a set feature to it. This means you can set the property using the get-gpo command.. Bingo! Lets do this!
(Get-GPO -Name "Control Panel Access").Description = "This policy blocks access for all members of the employees group, except for those inside the sg_control_panel_access group from accessing control panel. 04/25/2021"
I wanted to add today’s date into the description. This way whoever comes behind me sees when it was written. Now let’s see if the GUI updated accordingly as well.
It updated like we believed it would. This is because of the set feature inside the property. The command allowed us to set the property. Such a simple and yet lovely thing. Now, you can run a report asking for just the name and description to get much more information. If you do this with all of your policies, life gets a little easier.
Maybe, one day I will use a dynamic parameter and create a set-GPOdescriptoin command to set the description of any gpo you can select from. Hum…
Like always, if you have any questions feel free to ask.