How to Identify Differences Between GPOs, GPO Versions, or Templates
You can generate HTML-based or XML-based difference reports to analyze the differences between Group Policy objects (GPOs), templates, or different versions of a GPO.
A user account with the Reviewer, Editor, Approver, or AGPM Administrator (Full Control) role or necessary permissions in Advanced Group Policy Management is required to complete this procedure. Review the details in "Additional considerations" in this topic.
Identifying differences between GPOs, GPO versions, or templates
To identify differences between two GPOs or templates
In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.
On the Contents tab in the details pane, click a tab to display GPOs (or templates, if comparing two templates).
Select the two GPOs or templates.
Right-click one of the GPOs or templates, click Differences, and then click HTML Report or XML Report to display a difference report summarizing the settings of the GPOs or templates.
To identify differences between a GPO and a template
In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.
On the Contents tab in the details pane, click a tab to display GPOs (or templates, if comparing two templates).
Right-click the GPO, click Differences, and then click Template.
Select the template and type of report, and then click OK to display a difference report summarizing the settings of the GPO and template.
To identify differences between two versions of one GPO
In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.
On the Contents tab in the details pane, click a tab to display GPOs (or templates, if comparing two templates).
Double-click the GPO to display its history, and then highlight the versions to be compared.
Right-click one of the versions, click Differences, and then click HTML Report or XML Report to display a difference report summarizing the settings of the GPOs.
To identify differences between a GPO version and a template
In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.
On the Contents tab in the details pane, click a tab to display GPOs (or templates, if comparing two templates).
Double-click the GPO to display its history.
Right-click the GPO version of interest, click Differences, and then click Template.
Select the template and type of report, and then click OK to display a difference report summarizing the settings of the GPO version and template.
Key to difference reports
| Symbol | Meaning | Color |
|---|---|---|
None |
Item exists with identical settings in both GPOs |
Varies with level |
[#] |
Item exists in both GPOs, but with changed settings |
Blue |
[-] |
Item exists only in the first GPO |
Red |
[+] |
Item exists only in the second GPO |
Green |
For items with changed settings, the changed settings are identified when the item is expanded. The value for the attribute in each GPO is displayed in the same order that the GPOs are displayed in the report.
Some changes to settings may cause an item to be reported as two different items (one present only in the first GPO, one present only in the second) rather than as one item that has changed.
Additional considerations
- By default, you must be a Reviewer, an Editor, an Approver, or an AGPM Administrator (Full Control) to perform this procedure. Specifically, you must have List Contents and Read Settings permissions for the GPO. Also, to display the list of GPOs, you must have List Contents permission for the domain.
Additional references