Pagine

Windows 200x/201x - How to monitor GPO application with some tools

GPO are applied to computer and user side.

To verify its application here they are some simple tools:


  1. Resultant Set of Policy (rsop.msc)  it is graphical tools that show which policies are applied and which are working (consider that there are some expections to some policies not displayed with this tool)
  2. GPResult.exeit is a command line tool that create .xml .html report.
  3. Group Policy Inventory (GPInventory.exe) Group Policy Inventory (GPInventory.exe) allows administrators to collect Group Policy and other information from any number of computers in their network by running multiple Resultant Set of User Policy (RSOP) or Windows Management Instrumentation (WMI) queries. The query results can be exported to either an XML or a text file, and can be analyzed in Excel.Typical usage scenariosRSOP Queries:
    • Do a software inventory for users and computers in a domain or OU
    • See which applications are installed on computers in the domain
    • Track the rollout of new GPOs on a domain
    • Find computers that have not downloaded and applied new GPOs
    WMI Queries:
    • Do a complete hardware inventory (processor, memory, hard disk space, etc) for all computers in the domain
    • Scan all computers to see if a particular hotfix is applied
    • See the amount of disk space that is available on computers
    • Test a WMI filter before implementing it in the domain
  4. Using powershell you can utilize this command: Get-GPResultantSetOfPolicy, more details:
    https://technet.microsoft.com/en-us/library/ee461048.aspx
    https://blogs.technet.microsoft.com/heyscriptingguy/2013/02/08/use-powershell-to-find-group-policy-rsop-data/
  5. Using Wmi and .vbscript :
    https://blogs.msdn.microsoft.com/dsadsi/2009/09/18/how-to-retrieve-currently-applied-gpos-on-your-local-machine-using-wmi-via-windows-scripting-host-wsh/

If you like you can go deeper using these latter articles: