1. Open a Windows Explorer window on your domain’s Sysvol folder. This will be something like “\\mydomain.com\Sysvol\mydomain.com”
2. In the Explorer Search field in this window, type the name of the registry value you are working with (in my case “passwordexpirywarning”)
3. Press Enter and wait for the search to complete – it won’t find anything, so you will then need to click Search in File Contents. Once the search completes, you should have one or more GptTmpl.inf files returned in the results, as shown below:
4. Open each of these files in turn in Notepad (or your preferred text editor), and search each for the registry value in question:
In the above screenshot, you can see that this is a “candidate” GPO as it is setting “passwordexpirywarning” to 0. Ignore any files that don’t correspond to the value you are interested in
5. For each of the corresponding GptTmpl.inf files that contain the value in question, obtain the GPO GUID (Globally Unique Identifier) by inspecting the properties of the GptTmpl.inf file, as shown below, and copying and pasting the GUID part of the path, EXCLUDING the curly brackets {} into a temporary text file:
The aim of this is to build up a list of GUIDs for candidate GPOs
6. Now, if you are not already on a Windows 2008 R2 server with PowerShell and the Group Policy Management Console (GPMC) installed, log on to one, and open a PowerShell session
7. In the PowerShell session, type the following command:
Get-GPO -GUID <GUID>
where <GUID> is the first GUID you collected in the text file above, for example
Get-GPO -GUID AD77FD0E-3E55-4B7B-AD7A-2C6B4E680F80
This should return the display name of the GPO corresponding to this GUID
Source :
http://www.nigelboulton.co.uk/2012/01/tracking-down-registry-changes-made-by-group-policy-objects/
automatizeblog 