Working with GPO and Applocker

The other day I was asked to provide all certificate based applocker rules.
Actually, it turned out that the Group Policy that targets only active directory computer objects has some security permissions that prevents domain users from reading it.

I’ve been able to figure out the above by counting the total number of GPO in the domain:


Import-Module -Name "GroupPolicy"
Import-Module -Name "Applocker"

# Running as user who is not domain admin
(Get-GPO -All -Domain "FQDN.of.my.domain" ).Count
32

# Running as domain admin
(Get-GPO -All -Domain "FQDN.of.my.domain" ).Count
33

So, now that I know that I need to run powershell with domain admin credentials, I was able to export the settings of the GPO I was looking for. Here’s how I did it:

# Read the GPO and store it as an XML object
$GPO = [xml](Get-AppLockerPolicy -Ldap ("LDAP://" + (Get-GPO -Name "Computers Parameters").path) -Domain -XML

# Now, I can display only Publisher based rules for executables
($GPO.AppLockerPolicy.RuleCollection | Where-Object { $_.Type -eq "Exe"}).FilePublisherRule | ft -HideTableHeaders -AutoSize -Property Name,Action

Advertisements

2 thoughts on “Working with GPO and Applocker

  1. This was so helpful to me. I’d searched a couple times trying to figure out how to list all rules of a specific type but couldn’t figure it out. Your post allowed me to cut and paste my way to victory! Thanks so much for the post.

  2. Hi,

    Thanks! This helps me a little on my way.

    You forgot to put a closing bracket at the ling for the XLM object, though. This must be:

    $GPO = [xml](Get-AppLockerPolicy -Ldap (“LDAP://” + (Get-GPO -Name “Computers Parameters”).path) -Domain -XML)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s