Comments in Group Policy

Comments in Group Policy

Documentation is a big deal in the world of IT. There are different levels of documentation. I want to go over in-place documentation for group policy. Comments in Group Policy are in-place documentation.

How to comment on a Group Policy

This process is not straightforward by any stretch of the imagination. The first and foremost way to add comments to a Group Policy is to use the GUI.

  1. Open Group Policy Management Console
  2. Select the policy you wish to comment
  3. Right-click the policy in question and click edit
  4. Inside the group policy management editor, right-click the policy name and click properties
  5. Click the comment tab
  6. Now enter your comment.
  7. click Apply and Ok

The second way to add a comment in group policy is by using PowerShell. The Description of a policy is where the comment lives. Thus using the command Get-GPO will produce the comment. We will dig more into that later.

Get-GPO -name "Control Panel Access"

Using the Get-Member command we can pipe our Get-GPO command and see what is doable. You will be treated to a list of member types and what they are capable of. The description has a get and a set method to it. This means, you can set the description, aka comment.

(Get-GPO -name "Control Panel Access").Description = "This is my comment"

Suggestions

Here are a few suggestions for documenting the policy like this.

  1. Use the(Get-date).ToString(“yyyy-MM-dd_hh_mm_ss”) at the beginning to setup your date time.
  2. Then, I would add the author of the policy/comment
  3. A quick description of the policy
  4. Whether it’s a user or computer policy.
  5. Any WMI filters.

More information here helps the next person or even yourself months down the road. Don’t go overboard as it can cause issues later. Using the ‘`n’ will create a new line which can be helpful as well.

Pulling Comments with PowerShell

Now that we have all the policies documented, we can pull the information from the in-place documentation. We do this by using the GPO-Get -All command. One way to do this is by using the select-object command and passing everything into a csv. I personally don’t like that, but it works.

Get-GPO -All | select-object DisplayName,Description | export-csv c:\temp\GPO.csv

I personally like going through the GPO’s and creating a txt file with the comment and the file name being the display name.

Get-GPO -All | foreach-object {$_.Description > "c:\temp\$($_.Displayname).txt"}

Conclusion

I would like to go deeper into In-Place Documentation as it is very useful down the road. Powershell uses the #, other programs use different methods as well. If you get a chance to place in place documentation, life becomes easier when you are building out the primary documentation as you have a point of reference to look back at.

Future Reading

GPO – Comments

GPO – Comments

Did you know you can add a comment to a group policy? Did you know you can report on that comment as well. Basically, if you put the purpose and any additional information like security groups, applied to and not to, and so on and so forth, you can document and report on the group policy using PowerShell. Let me show you how.

Commenting Group Policy

There are two ways you can comment group policy, the first is the GUI. The second is through PowerShell. First we will do a comment via the GUI.

The GUI Way

  1. 300start Group Policy Management Console
  2. Select the policy object you wish to comment
  3. Right click and click edit on this policy
  4. In the navigation plane, right click the policy’s name and select properties
  5. Click the Comment tab
  6. Enter your comment
  7. Apply and Ok.

The PowerShell Way

The command we are going to be using is the get-gpo command. This command allows you to grab the single GPO or all of the GPOs in the company.

Get-GPO -Name "Control Panel Access"
Results of Get-GPO

You can see the comment we added to the policy earlier as the description. Why Microsoft hasn’t changed the name on the tab, I will never know. For anyone who is familiar with PowerShell there is no Set-GPO commandlet native to PowerShell. So, it’s time to put our thinking caps on and figure out what we can do. I piped this command into get-member.

Get-GPO -Name "Control Panel Access" | Get-Member
Results of the get member

Look what we found. The Description property has a set feature to it. This means you can set the property using the get-gpo command.. Bingo! Lets do this!

(Get-GPO -Name "Control Panel Access").Description = "This policy blocks access for all members of the employees group, except for those inside the sg_control_panel_access group from accessing control panel. 04/25/2021"
Results from the above command.

I wanted to add today’s date into the description. This way whoever comes behind me sees when it was written. Now let’s see if the GUI updated accordingly as well.

The new information is inside the policy

It updated like we believed it would. This is because of the set feature inside the property. The command allowed us to set the property. Such a simple and yet lovely thing. Now, you can run a report asking for just the name and description to get much more information. If you do this with all of your policies, life gets a little easier.

Maybe, one day I will use a dynamic parameter and create a set-GPOdescriptoin command to set the description of any gpo you can select from. Hum…

Like always, if you have any questions feel free to ask.