(GPO) Track what Policy is modifying a registry key or setting

1. Open a Windows Explorer window on your domain’s Sysvol folder. This will be something like “\\mydomain.com\Sysvol\mydomain.com”

2. In the Explorer Search field in this window, type the name of the registry value you are working with (in my case “passwordexpirywarning”)


3. Press Enter and wait for the search to complete – it won’t find anything, so you will then need to click Search in File Contents. Once the search completes, you should have one or more GptTmpl.inf files returned in the results, as shown below:


4. Open each of these files in turn in Notepad (or your preferred text editor), and search each for the registry value in question:


In the above screenshot, you can see that this is a “candidate” GPO as it is setting “passwordexpirywarning” to 0. Ignore any files that don’t correspond to the value you are interested in

5. For each of the corresponding GptTmpl.inf files that contain the value in question, obtain the GPO GUID (Globally Unique Identifier) by inspecting the properties of the GptTmpl.inf file, as shown below, and copying and pasting the GUID part of the path, EXCLUDING the curly brackets {} into a temporary text file:


The aim of this is to build up a list of GUIDs for candidate GPOs

6. Now, if you are not already on a Windows 2008 R2 server with PowerShell and the Group Policy Management Console (GPMC) installed, log on to one, and open a PowerShell session

7. In the PowerShell session, type the following command:



where <GUID> is the first GUID you collected in the text file above, for example

Get-GPO -GUID AD77FD0E-3E55-4B7B-AD7A-2C6B4E680F80

This should return the display name of the GPO corresponding to this GUID


Source :




Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s