A desktop/web app for security engineers and Active Directory administrators to load, browse, compare, audit, and baseline-check Group Policy Object (GPO) backups — without needing a domain controller.
Load a folder of GPO backup exports and browse every policy setting across all GPOs in a categorized tree. Each category (Administrative Templates, Security Settings, Audit Policy, Firewall Rules, etc.) is shown in a collapsible, searchable tree. Use the dark-mode UI to quickly scan large policy sets.
Every policy setting has a built-in AI assistant button. Click it to get a plain-English explanation of what the setting does, why it matters, and common misconfigurations. Supported providers:
- OpenAI (GPT-4o and others)
- xAI (Grok)
- Google Gemini
Enter your API key once via the Settings icon (top-right). Explanations are cached per-setting per-GPO so they survive tab switches and GPO reloads.
Select two or more GPOs using the checkboxes in the sidebar, then click Compare to open a side-by-side diff view. Settings that differ between policies are highlighted. Changed, added, and removed settings are each shown in distinct colours.
The Conflicts view automatically finds settings that are configured in more than one GPO with different values — the exact conflicts a domain would resolve via GPO precedence order. Each conflict shows every GPO that touches the setting and what value each one sets, so you can identify unintended policy overlap at a glance.
The Search view lets you search every setting name and value across all loaded GPOs simultaneously. Results are grouped by GPO and link directly back to the setting inside its category tree.
The Baseline view compares all loaded GPOs against one or more Microsoft Security Baselines:
- Load baselines from the Microsoft Security Compliance Toolkit (the
GPOsfolder inside the baseline ZIP). - Multiple baselines load additively — load Windows 11, Windows Server 2025, Edge, etc. one after another and they accumulate.
- Each baseline shows a compliance score bar with a percentage breakdown of:
- Compliant — at least one GPO matches the baseline recommendation
- Wrong Value — the setting is configured but with a different value than recommended
- Missing — no GPO configures this setting at all
- Filter results by status (All / Missing / Wrong Value / Compliant) and free-text search by name.
- Expand any row to see the exact expected value vs. what each GPO currently sets.
- Bundled baselines included in the app:
- Windows 10 1607 and Windows Server 2016 Security Baseline
- Windows 10 Version 1809 and Windows Server 2019 Security Baseline
- Windows 10 20H2 / Windows Server 20H2 Security Baseline
- Windows 10 version 22H2 Security Baseline
- Windows 11 v23H2 Security Baseline
- Windows 11 v24H2 Security Baseline
- Windows 11 v25H2 Security Baseline
- Windows Server 2022 Security Baseline
- Windows Server 2025 Security Baseline (2602)
- Microsoft 365 Apps for Enterprise 2512
- Microsoft Edge v139 Security Baseline
Select GPOs for comparison, then use the Export button to download a formatted Excel spreadsheet (.xlsx) with all selected GPO settings for offline review or compliance evidence collection.
Click the Monitor icon (🖥) in the toolbar to import the Resultant Set of Policy (RSoP) from the machine where the app is running. This executes gpresult /X behind the scenes and loads the merged, effective policy — exactly what the machine has applied — as a GPO entry called "Effective Policy — <hostname>".
- A UAC elevation prompt is shown automatically when the app is not already running as Administrator (required to retrieve Computer-scope policies).
- The imported entry appears in the GPO list and can be browsed, searched, compared side-by-side with GPO backups, and checked against security baselines.
- Only registry-based and security settings are captured (the same data that GPO backup exports contain). Non-registry extensions such as Software Installation and Scripts are not included.
- Re-clicking the button refreshes the data with a new
gpresultrun. - Only available on Windows.
Dark mode is enabled by default. Toggle it with the moon/sun icon in the toolbar. The preference is persisted across sessions.
- Browser (Chrome / Edge): uses the native
showDirectoryPicker()API for zero-friction folder selection. - Electron desktop: uses a native OS folder-picker dialog via Electron IPC.
- Firefox fallback: inline text-path input field.
| Layer | Technology |
|---|---|
| Backend | Python 3.13, FastAPI, uvicorn, lxml, pydantic v2 |
| Frontend | React 19, TypeScript 5.8, Vite 6, Tailwind CSS 3 |
| State | @tanstack/react-query 5, axios |
| Icons | lucide-react |
| Export | SheetJS (xlsx) |
| Desktop | Electron (optional wrapper, native folder picker IPC) |
- Python 3.13
- Node.js 18+
- npm
- (Optional, for icon rebuild) ImageMagick (
magickon PATH)
# Install root + frontend dependencies
npm install
# Install backend dependencies
cd backend
pip install -r requirements.txtStart both the backend and frontend together from the repo root:
npm run devOr run them individually:
Backend (port 8000):
Set-Location c:\git\Pretty-Policy-Analyzer\backend
$env:PYTHONPATH = "c:\git\Pretty-Policy-Analyzer\backend"
python3.13 -m uvicorn app.main:app --reload --host 127.0.0.1 --port 8000Frontend (port 5173):
Set-Location c:\git\Pretty-Policy-Analyzer\frontend
npm run devOpen http://localhost:5173 in Chrome or Edge (required for showDirectoryPicker support).
If port 8000 is already in use, free it first:
Stop-Process -Id (Get-NetTCPConnection -LocalPort 8000 -ErrorAction SilentlyContinue).OwningProcess -Force -ErrorAction SilentlyContinueThe build script compiles the frontend, transpiles the Electron TypeScript, and bundles the Python backend with PyInstaller:
npm run buildThis runs the following steps in order:
sync:icon— regenerateselectron/icon.icofromfrontend/src/assets/PPALogo.png(requires ImageMagick).build:frontend— runsvite buildinsidefrontend/.build:electron— compileselectron/*.ts→dist-electron/.build:backend— runs PyInstaller usingbackend/gpo-backend.specto produce a self-containedbackend/dist/gpo-backendbinary.
Creates a portable directory under release/ using electron-packager:
npm run package:winOutput: release/Pretty Policy Analyzer-win32-x64/
Creates a one-click NSIS installer EXE under release/:
npm run installer:winOutput: release/Pretty Policy Analyzer Setup <version>.exe
The installer:
- Lets the user choose an installation directory (not a one-click install).
- Bundles the self-contained Python backend binary — no Python runtime required on the target machine.
- Bundles all security baselines (Windows 10/11, Windows Server 2016–2025, Microsoft 365 Apps for Enterprise 2512, Microsoft Edge v139).
- Signs nothing by default (
CSC_IDENTITY_AUTO_DISCOVERY=false) — add a code-signing certificate to remove the SmartScreen warning.
Note: Code signing is disabled by default. To sign the installer, remove
set CSC_IDENTITY_AUTO_DISCOVERY=false&&from theinstaller:winscript and configure a valid certificate via theWIN_CSC_LINK/WIN_CSC_KEY_PASSWORDenvironment variables.
The app expects a folder containing GUID-named subfolders — the standard output of Backup-GPO (PowerShell) or the GPMC Back Up All action. Each subfolder contains:
| File | Contents |
|---|---|
bkupInfo.xml |
Backup metadata (GPO name, domain, timestamps) |
gpreport.xml |
Full policy report (Admin Templates, Security Settings) |
DomainSysvol/GPO/Machine/registry.pol |
Binary registry policies |
DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf |
Security template (password policy, audit, privileges) |
# Export all GPOs from a domain
Backup-GPO -All -Path C:\GPOBackups
# Export a single GPO by name
Backup-GPO -Name "Default Domain Policy" -Path C:\GPOBackups