How to use Microsoft Policy Analyzer

Policy Analyzer is a free tool provided by Microsoft that allows you to compare different Group Policy Object (GPO) groups and highlight the differences.

It provides a Graphical User Interface (GUI) and it is only available for Windows OS.

How to install Policy Analyzer

Policy Analyzer is a tool that is included on Microsoft Security Compliance Toolkit (SCT).

You can go to SCT download page, then ensure you check “Policy Analyzer” in download list.

Policy Analyzer does not need installation. Just extract the zip file and run the executable file “PolicyAnalyzer.exe”.

You can find instructions about how to use Policy Analyzer in the file “Police Analyzer.pdf”, in the same folder as the executable file.

Step-by-step procedure on how to use Policy Analyzer

In this example, our goal is compare the current GPOs in a Windows Server againt the template GPOs. The template GPO on this tutorial is obtained from Microsoft Security Baselines, but you could use any other source.

1. Get the current GPOs
   1. In Windows Server, open “Group Policy Management”.
   2. Locate the GPO group to be compared.
   3. Right click on it and select “Backup…”. Select a location where you are going to export it. The result will be a exported file that contains other folders named with very long and random string between curly brackets, and that contains more subfolders and XML files.
2. Get the template GPOs
   1. In SCT download page, get the Security Baseline that suits your scenario.
3. Create original and reference .policyRules file from GPOs using Policy Analyzer
   1. Open “PolicyAnalyzer.exe”.
   2. Click on “Add…”.
   3. Go to menu bar > “File” > “Add files from GPOs…”. Select the folder where you have exported all your current GPOs.
   4. Click on “Import” and select a .PolicyRules file to store the set of GPOs.
   5. Repeat the steps to import the template GPOs. The second .policyRules file should be saved in the same folder as the first one
4. Compare original and reference .policyRules using Policy Analyzer
   1. Click on the path on the right of label “Policy Rule sets in:” and select the folder where both .policyRules files have been saved.
   2. We will leave the path “Policy Definitions in:” field with default value “C: \WINDOWS\PolicyDefinitions”
   3. Once both current and template GPOs are imported, we are able to compare them. Click on “View / Compare” button on the right hand side.
   4. Conflicts are highlighted in yellow on GPO template column with the text “**CONFLICT**”.
   5. When there is a difference in values, it is highlighted in yellow as well.
   6. Click on “Export” to export it to a CSV

You might also be interested in…

• Windows 10 Security

External references

• Aaron Margosis; “New tool: Policy Analyzer“; Microsoft Tech Community, 2019-06-18
• Jarrel Rivera; “CompTIA Security+ Lab #6 – GPO Analysis via Policy Analyzer“; YouTube, 2021-06-21