# === Configuration ===$gpoBackupDir = "C:\GPOBackup"$todayDir = "$gpoBackup

1. # === Configuration ===
2. $gpoBackupDir = "C:\GPOBackup"
3. $todayDir = "$gpoBackupDir\today"
4. $yesterdayDir = "$gpoBackupDir\yesterday"
5. $archiveDir = "$gpoBackupDir\archive"
6. $logFile = "$gpoBackupDir\gpo_diff.log"
7.  
8. $smtpServer = "smtp.yourdomain.com"
9. $from = "[email protected]"
10. $to = "[email protected]"
11. $subject = "Daily GPO Change Report"
12.  
13. # === Ensure Directories Exist ===
14. New-Item -ItemType Directory -Path $gpoBackupDir -Force | Out-Null
15. New-Item -ItemType Directory -Path $archiveDir -Force | Out-Null
16.  
17. # === Function: Extract Summarized Settings ===
18. function Get-PolicySummary {
19. param ([string]$path)
20.  
21. if (-not (Test-Path $path)) {
22. return @()
23. }
24.  
25. try {
26. [xml]$xml = Get-Content -Path $path -Raw
27. } catch {
28. return @()
29. }
30.  
31. $xml.SelectNodes("//*[local-name()='ReadTime' or local-name()='SDDL']") | ForEach-Object {
32. $_.ParentNode.RemoveChild($_) | Out-Null
33. }
34.  
35. $policyNodes = $xml.SelectNodes("//*[local-name()='Policy']")
36. if (-not $policyNodes) {
37. return @()
38. }
39.  
40. $summaries = @()
41.  
42. foreach ($policy in $policyNodes) {
43. $nameNode = $policy.SelectSingleNode("*[local-name()='Name']")
44. $stateNode = $policy.SelectSingleNode("*[local-name()='State']")
45. $valueNode = $policy.SelectSingleNode("*[local-name()='Value']/*[local-name()='Name']")
46.  
47. $name = if ($nameNode) { $nameNode.InnerText } else { "" }
48. $state = if ($stateNode) { $stateNode.InnerText } else { "" }
49. $value = if ($valueNode) { $valueNode.InnerText } else { "" }
50.  
51. $summary = "$name|$state|$value"
52. $summaries += $summary
53. }
54.  
55. return $summaries | Sort-Object
56. }
57.  
58. # === Step 1: Archive Yesterday ===
59. if (Test-Path $yesterdayDir) {
60. $timestamp = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
61. $archivePath = Join-Path $archiveDir $timestamp
62. Move-Item -Path $yesterdayDir -Destination $archivePath
63. }
64.  
65. # === Step 2: Copy Today to Yesterday ===
66. if (Test-Path $todayDir) {
67. Copy-Item -Path $todayDir -Destination $yesterdayDir -Recurse -Force
68. Remove-Item -Path $todayDir -Recurse -Force
69. }
70.  
71. # === Step 3: Export Current GPOs to Today ===
72. New-Item -ItemType Directory -Path $todayDir -Force | Out-Null
73. $allGPOs = Get-GPO -All
74.  
75. foreach ($gpo in $allGPOs) {
76. $safeName = $gpo.DisplayName -replace '[\\/:*?"<>|]', '_'
77. $xmlPath = Join-Path $todayDir "$safeName.xml"
78.  
79. Backup-GPO -Name $gpo.DisplayName -Path $todayDir -Comment "Daily GPO Backup" | Out-Null
80. Get-GPOReport -Name $gpo.DisplayName -ReportType XML -Path $xmlPath
81. }
82.  
83. # === Step 4: Compare Summarized Settings ===
84. $differences = @()
85. $todayFiles = Get-ChildItem $todayDir -Filter *.xml
86.  
87. foreach ($file in $todayFiles) {
88. $yesterdayPath = Join-Path $yesterdayDir $file.Name
89.  
90. $todaySummary = Get-PolicySummary -path $file.FullName
91. $yesterdaySummary = Get-PolicySummary -path $yesterdayPath
92.  
93. if ($todaySummary.Count -eq 0 -and $yesterdaySummary.Count -eq 0) {
94. continue
95. }
96.  
97. # Compare and remove "moved but unchanged" settings
98. $diffs = Compare-Object `
99. -ReferenceObject $yesterdaySummary `
100. -DifferenceObject $todaySummary `
101. -IncludeEqual:$false
102.  
103. $added = @{}
104. $removed = @{}
105.  
106. foreach ($d in $diffs) {
107. if ($d.SideIndicator -eq '=>') {
108. $added[$d.InputObject] = $true
109. } elseif ($d.SideIndicator -eq '<=') {
110. $removed[$d.InputObject] = $true
111. }
112. }
113.  
114. $falsePositives = $added.Keys | Where-Object { $removed.ContainsKey($_) }
115. foreach ($fp in $falsePositives) {
116. $added.Remove($fp)
117. $removed.Remove($fp)
118. }
119.  
120. # Report final differences
121. if ($added.Count -gt 0 -or $removed.Count -gt 0) {
122. $differences += "Changes in GPO: $($file.BaseName)"
123. foreach ($entry in $removed.Keys) {
124. $details = $entry -replace '\|', ' -> '
125. $differences += " • Removed: $details"
126. }
127. foreach ($entry in $added.Keys) {
128. $details = $entry -replace '\|', ' -> '
129. $differences += " • Added: $details"
130. }
131. $differences += "`n"
132. }
133. }
134.  
135. # === Step 5: Log + Email Results ===
136. if ($differences.Count -gt 0) {
137. $report = $differences -join "`n"
138. $report | Out-File -FilePath $logFile -Encoding UTF8
139. Send-MailMessage -From $from -To $to -Subject $subject -Body $report -SmtpServer $smtpServer
140. }
141.