{"id":49157428,"url":"https://github.com/mirbach/pretty-policy-analyzer","last_synced_at":"2026-04-22T10:01:04.957Z","repository":{"id":352869156,"uuid":"1215777843","full_name":"mirbach/Pretty-Policy-Analyzer","owner":"mirbach","description":"A desktop/web app for security engineers and Active Directory administrators to load, browse, compare, audit, and baseline-check Group Policy Object (GPO) backups — without needing a domain controller.","archived":false,"fork":false,"pushed_at":"2026-04-21T14:30:40.000Z","size":1524,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-21T14:39:21.373Z","etag":null,"topics":["active-directory","active-directory-security","gpo","group-policy","group-policy-object"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mirbach.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-20T08:44:46.000Z","updated_at":"2026-04-21T14:30:44.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mirbach/Pretty-Policy-Analyzer","commit_stats":null,"previous_names":["mirbach/pretty-policy-analyzer"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/mirbach/Pretty-Policy-Analyzer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mirbach%2FPretty-Policy-Analyzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mirbach%2FPretty-Policy-Analyzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mirbach%2FPretty-Policy-Analyzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mirbach%2FPretty-Policy-Analyzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mirbach","download_url":"https://codeload.github.com/mirbach/Pretty-Policy-Analyzer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mirbach%2FPretty-Policy-Analyzer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32130776,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-22T08:34:57.708Z","status":"ssl_error","status_checked_at":"2026-04-22T08:34:55.583Z","response_time":58,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","active-directory-security","gpo","group-policy","group-policy-object"],"created_at":"2026-04-22T10:00:45.957Z","updated_at":"2026-04-22T10:01:04.948Z","avatar_url":"https://github.com/mirbach.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Pretty Policy Analyzer\n\u003cimg width=\"1172\" height=\"506\" alt=\"Screenshot 2026-04-21 105355\" src=\"https://github.com/user-attachments/assets/d90ff35a-dbfd-4817-9d17-48adaf451777\" /\u003e\n\nA desktop/web app for security engineers and Active Directory administrators to load, browse, compare, audit, and baseline-check Group Policy Object (GPO) backups — without needing a domain controller.\n\n---\n\n## Features\n\n### Browse GPOs\nLoad a folder of GPO backup exports and browse every policy setting across all GPOs in a categorized tree. Each category (Administrative Templates, Security Settings, Audit Policy, Firewall Rules, etc.) is shown in a collapsible, searchable tree. Use the dark-mode UI to quickly scan large policy sets.\n\n### AI-Powered Explanations\nEvery policy setting has a built-in AI assistant button. Click it to get a plain-English explanation of what the setting does, why it matters, and common misconfigurations. Supported providers:\n- **OpenAI** (GPT-4o and others)\n- **xAI** (Grok)\n- **Google Gemini**\n\nEnter your API key once via the Settings icon (top-right). Explanations are cached per-setting per-GPO so they survive tab switches and GPO reloads.\n\n### Side-by-Side Compare\nSelect two or more GPOs using the checkboxes in the sidebar, then click **Compare** to open a side-by-side diff view. Settings that differ between policies are highlighted. Changed, added, and removed settings are each shown in distinct colours.\n\n### Conflict Detection\nThe **Conflicts** view automatically finds settings that are configured in more than one GPO with different values — the exact conflicts a domain would resolve via GPO precedence order. Each conflict shows every GPO that touches the setting and what value each one sets, so you can identify unintended policy overlap at a glance.\n\n### Global Search\nThe **Search** view lets you search every setting name and value across all loaded GPOs simultaneously. Results are grouped by GPO and link directly back to the setting inside its category tree.\n\n### Security Baseline Compliance\nThe **Baseline** view compares all loaded GPOs against one or more Microsoft Security Baselines:\n\n- Load baselines from the [Microsoft Security Compliance Toolkit](https://aka.ms/baselines) (the `GPOs` folder inside the baseline ZIP).\n- Multiple baselines load **additively** — load Windows 11, Windows Server 2025, Edge, etc. one after another and they accumulate.\n- Each baseline shows a compliance score bar with a percentage breakdown of:\n  - **Compliant** — at least one GPO matches the baseline recommendation\n  - **Wrong Value** — the setting is configured but with a different value than recommended\n  - **Missing** — no GPO configures this setting at all\n- Filter results by status (All / Missing / Wrong Value / Compliant) and free-text search by name.\n- Expand any row to see the exact expected value vs. what each GPO currently sets.\n- Bundled baselines included in the app:\n  - Windows 10 1607 and Windows Server 2016 Security Baseline\n  - Windows 10 Version 1809 and Windows Server 2019 Security Baseline\n  - Windows 10 20H2 / Windows Server 20H2 Security Baseline\n  - Windows 10 version 22H2 Security Baseline\n  - Windows 11 v23H2 Security Baseline\n  - Windows 11 v24H2 Security Baseline\n  - Windows 11 v25H2 Security Baseline\n  - Windows Server 2022 Security Baseline\n  - Windows Server 2025 Security Baseline (2602)\n  - Microsoft 365 Apps for Enterprise 2512\n  - Microsoft Edge v139 Security Baseline\n\n### Export to Excel\nSelect GPOs for comparison, then use the **Export** button to download a formatted Excel spreadsheet (`.xlsx`) with all selected GPO settings for offline review or compliance evidence collection.\n\n### Import Effective Local Policy\nClick the **Monitor** icon (🖥) in the toolbar to import the Resultant Set of Policy (RSoP) from the machine where the app is running. This executes `gpresult /X` behind the scenes and loads the merged, effective policy — exactly what the machine has applied — as a GPO entry called **\"Effective Policy — \\\u003chostname\\\u003e\"**.\n\n- A **UAC elevation prompt** is shown automatically when the app is not already running as Administrator (required to retrieve Computer-scope policies).\n- The imported entry appears in the GPO list and can be browsed, searched, compared side-by-side with GPO backups, and checked against security baselines.\n- Only **registry-based and security settings** are captured (the same data that GPO backup exports contain). Non-registry extensions such as Software Installation and Scripts are not included.\n- Re-clicking the button refreshes the data with a new `gpresult` run.\n- Only available on Windows.\n\n### Dark Mode\nDark mode is enabled by default. Toggle it with the moon/sun icon in the toolbar. The preference is persisted across sessions.\n\n### Folder Loading\n- **Browser** (Chrome / Edge): uses the native `showDirectoryPicker()` API for zero-friction folder selection.\n- **Electron desktop**: uses a native OS folder-picker dialog via Electron IPC.\n- **Firefox fallback**: inline text-path input field.\n\n---\n\n## Architecture\n\n| Layer | Technology |\n|-------|-----------|\n| Backend | Python 3.13, FastAPI, uvicorn, lxml, pydantic v2 |\n| Frontend | React 19, TypeScript 5.8, Vite 6, Tailwind CSS 3 |\n| State | @tanstack/react-query 5, axios |\n| Icons | lucide-react |\n| Export | SheetJS (xlsx) |\n| Desktop | Electron (optional wrapper, native folder picker IPC) |\n\n---\n\n## Development\n\n### Prerequisites\n- Python 3.13\n- Node.js 18+\n- npm\n- (Optional, for icon rebuild) ImageMagick (`magick` on PATH)\n\n### Setup\n\n```powershell\n# Install root + frontend dependencies\nnpm install\n\n# Install backend dependencies\ncd backend\npip install -r requirements.txt\n```\n\n### Run in Development\n\nStart both the backend and frontend together from the repo root:\n\n```powershell\nnpm run dev\n```\n\nOr run them individually:\n\n**Backend** (port 8000):\n```powershell\nSet-Location c:\\git\\Pretty-Policy-Analyzer\\backend\n$env:PYTHONPATH = \"c:\\git\\Pretty-Policy-Analyzer\\backend\"\npython3.13 -m uvicorn app.main:app --reload --host 127.0.0.1 --port 8000\n```\n\n**Frontend** (port 5173):\n```powershell\nSet-Location c:\\git\\Pretty-Policy-Analyzer\\frontend\nnpm run dev\n```\n\nOpen `http://localhost:5173` in **Chrome or Edge** (required for `showDirectoryPicker` support).\n\nIf port 8000 is already in use, free it first:\n```powershell\nStop-Process -Id (Get-NetTCPConnection -LocalPort 8000 -ErrorAction SilentlyContinue).OwningProcess -Force -ErrorAction SilentlyContinue\n```\n\n---\n\n## Building the Electron App\n\n### Step 1 — Build all artefacts\n\nThe `build` script compiles the frontend, transpiles the Electron TypeScript, and bundles the Python backend with PyInstaller:\n\n```powershell\nnpm run build\n```\n\nThis runs the following steps in order:\n1. `sync:icon` — regenerates `electron/icon.ico` from `frontend/src/assets/PPALogo.png` (requires ImageMagick).\n2. `build:frontend` — runs `vite build` inside `frontend/`.\n3. `build:electron` — compiles `electron/*.ts` → `dist-electron/`.\n4. `build:backend` — runs PyInstaller using `backend/gpo-backend.spec` to produce a self-contained `backend/dist/gpo-backend` binary.\n\n### Step 2a — Package (portable, no installer)\n\nCreates a portable directory under `release/` using `electron-packager`:\n\n```powershell\nnpm run package:win\n```\n\nOutput: `release/Pretty Policy Analyzer-win32-x64/`\n\n### Step 2b — Build the Windows Installer (NSIS)\n\nCreates a one-click NSIS installer EXE under `release/`:\n\n```powershell\nnpm run installer:win\n```\n\nOutput: `release/Pretty Policy Analyzer Setup \u003cversion\u003e.exe`\n\nThe installer:\n- Lets the user choose an installation directory (not a one-click install).\n- Bundles the self-contained Python backend binary — no Python runtime required on the target machine.\n- Bundles all security baselines (Windows 10/11, Windows Server 2016–2025, Microsoft 365 Apps for Enterprise 2512, Microsoft Edge v139).\n- Signs nothing by default (`CSC_IDENTITY_AUTO_DISCOVERY=false`) — add a code-signing certificate to remove the SmartScreen warning.\n\n\u003e **Note:** Code signing is disabled by default. To sign the installer, remove `set CSC_IDENTITY_AUTO_DISCOVERY=false\u0026\u0026` from the `installer:win` script and configure a valid certificate via the `WIN_CSC_LINK` / `WIN_CSC_KEY_PASSWORD` environment variables.\n\n---\n\n## GPO Backup Format\n\nThe app expects a folder containing GUID-named subfolders — the standard output of `Backup-GPO` (PowerShell) or the GPMC **Back Up All** action. Each subfolder contains:\n\n| File | Contents |\n|------|----------|\n| `bkupInfo.xml` | Backup metadata (GPO name, domain, timestamps) |\n| `gpreport.xml` | Full policy report (Admin Templates, Security Settings) |\n| `DomainSysvol/GPO/Machine/registry.pol` | Binary registry policies |\n| `DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf` | Security template (password policy, audit, privileges) |\n\n### Exporting GPO Backups\n\n```powershell\n# Export all GPOs from a domain\nBackup-GPO -All -Path C:\\GPOBackups\n\n# Export a single GPO by name\nBackup-GPO -Name \"Default Domain Policy\" -Path C:\\GPOBackups\n```\n\n---\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmirbach%2Fpretty-policy-analyzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmirbach%2Fpretty-policy-analyzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmirbach%2Fpretty-policy-analyzer/lists"}