How to access a specific policy in Windows without using the graphical interface?

Question

What I Have

The "path" of a specific policy like the following

Computer Configuration\Policies\Windows Settings\Security Settings\Account
Policies\Password Policy\Enforce password history

I can navigate the tree into the Group Policy Mgt tool and with the previous path reach the desired policy.

What I want

Reach the same result from Powershell or other scripting language.

Ideal is a function that takes as input the previous path and returns as output the value (or notDefined) for the specific policy.

Does something like that exist?

Answer 1

Many GPO Policies can easily retrieved in the registry, especially those from Administrative Templates (have a look in the .admx files in C:\Windows\PolicyDefinitions). However, some Windows Settings are more tricky to discover, as the one you want to get. The full PowerShell version will be :

(Get-ItemProperty -Path HKLM:\SAM\SAM\Domains\Account\ -Name F).F[82]

However, I strongly recommend you to not modify registry security (if you don't, you can't get this property this way).

To avoid this, you can use a mix between cmd and PowerShell :

(net accounts | ConvertFrom-String -Delimiter ':' | 
    Where P1 -eq 'Length of password history maintained').P2

or more readeable :

(net accounts | ConvertFrom-String -Delimiter ':' -PropertyNames Property, Value | 
    Where Property -eq 'Length of password history maintained').Value

As you can see in the first way, when you have the registry value, it is easy to get mostly all of the policies (without modifying security) :

Get-ItemProperty -Path <Some path> -Name <Some Value>

If you want only the value :

 Get-ItemProperty -Path <Some path> -Name <Some Value> | Select -ExpandProperty <Some Value>

or

(Get-ItemProperty -Path <Some path> -Name <Some Value>).<Some Value>

Add some explanations, this is a part of FileSys.admx (as an example, there are many other .admx files) :

   <policy name="DisableCompression" class="Machine" 
    displayName="$(string.DisableCompression)" 
    explainText="$(string.DisableCompressionText)" 
    presentation="$(presentation.CompressionOptions)" 
    key="System\CurrentControlSet\Policies" 
    valueName="NtfsDisableCompression">
      <parentCategory ref="NTFS" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>

valueName="NtfsDisableCompression" is for the registry value

class="Machine" is for HKLM (User for HKCU)

key="System\CurrentControlSet\Policies" is for the path in the machine or user registry

So, you can read it with

(Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Policies\ `
                  -Name NtfsDisableCompression).NtfsDisableCompression

An error will be flushed if the policy is not configured

try
{
   (Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Policies\ `
                     -Name NtfsDisableCompression -ErrorAction Stop).NtfsDisableCompression
}
catch
{
   "Policy not configured"
}

If the parameter you want to check is outside the scope of a GPO or is defined manually, if you need to know the value to request, it will be the same syntax, except the -Path parameter will not contains a Policies key. Here an example for checking if a proxy is enabled :

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyEnable