5 Replies Latest reply on Oct 3, 2018 12:52 PM by JoeDrwiega

    Active Directory group policy result

    DheerajMeher Rookie

      Dear All,

       

      Can we validate the "AD group policy" result in Ivanti Endpoint management Suite?

       

      Thanks,

       

      Dheeraj Meher

        • 1. Re: Active Directory group policy result
          JoeDrwiega SupportEmployee

          Can you describe a little further of what you are trying to accomplish? We do have an addon tool that you can purchase How to assess your custom security compliance using Ivanti Endpoint Manager

           

          Or you can scan for registry keys created by the GPOs or you can use the Actions deployment to run Powershell script in Software distribution that could run applied GPOs and then export info and then pull that into EPM. Or you can track the event that GPO creates when they are applied: How to Monitor and Alert on a specific event log source

          • 2. Re: Active Directory group policy result
            DheerajMeher Rookie

            Hi Jeo Drwiega,

             

            Thanks for your reply.

             

            We want to check, which AD Group Policies are applied onto the systems?

             

            Is it possible to validate this through EPM??

             

            Thanks,

            Dheeraj Meher

            • 3. Re: Active Directory group policy result
              1EarEngineer Specialist

              I have not found a way to do this through EPM, however we use Download Group Policy Inventory (GPInventory.exe) from Official Microsoft Download Center which allows you to do what you are asking for

              • 4. Re: Active Directory group policy result
                Rick.Smith1 Specialist

                DheerajMeher

                 

                The best solution I can think of is through the use of Data Analytics Console Extender and doing something like this:

                 

                PowerShell: Retrieve Group Policy details for Remote Computer – MEA SI Blog

                 

                You would need to have the device online and accessible, but keep in mind that I've not know GPRESULT to be able to evaluate GPOs applied through the ADMX method. I've actually brought this up with MS several times since they often want an export and the GPO applied directly to the registy doesnt seem to get flagged and picked up. 99% of all oru policies on the desktops are applied through AppSense\UEM, which uses Microsoft's ADMX files (and others) to apply the same settings you would through an AD GPO. The downside is these tools scan what AD applies, not always what is actually applied on the computer and enforced through all other supported mechanisms.

                 

                Because of that, we'll often use Custom Data through Inventory scan to read the registry keys we are concerned about and then build reports based on that data.

                 

                Hope this helps.

                 

                Rick

                • 5. Re: Active Directory group policy result
                  JoeDrwiega SupportEmployee

                  Here is a VB script you can run on devices and it will create a custom inventory reg key, so once you run it allow the inventory for it in Custom Data - GPO - %GPONAME% and the value that are pulled in as well like Enabled, File System Path, ID, Name, and Version.

                  Be sure to test this and be sure to Allow these keys in from your Inventory in your Configure | Services and run inventory again.

                  The keys should show up in Computer.Custom Data.Registry.LANDesk Custom Fileds.GPO.%GPONAME% and then the keys per GPO Name scanned on from the system.

                   

                  Set wshShell = CreateObject( "WScript.Shell" )
                  strComputer = "."
                  Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\rsop\computer")
                  Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPO")

                  For Each objItem in colItems
                      myGPOKey = "HKLM\SOFTWARE\Wow6432Node\Intel\LANDesk\Inventory\Custom Fields\GPO\" & objItem.Name & "\"
                      WshShell.RegWrite myGPOKey,"","REG_SZ"
                      myNameKey = "HKLM\SOFTWARE\Wow6432Node\Intel\LANDesk\Inventory\Custom Fields\GPO\" & objItem.Name & "\Name"
                      WshShell.RegWrite myNamekey,objItem.Name,"REG_SZ"
                      myenaKey = "HKLM\SOFTWARE\Wow6432Node\Intel\LANDesk\Inventory\Custom Fields\GPO\" & objItem.Name & "\Enabled"
                      If objItem.Enabled = -1 Then
                       WshShell.RegWrite myenakey,"True","REG_SZ"
                      Else
                  WshShell.RegWrite myenakey,"False","REG_SZ"
                      end if
                      myIDKey = "HKLM\SOFTWARE\Wow6432Node\Intel\LANDesk\Inventory\Custom Fields\GPO\" & objItem.Name & "\ID"
                      WshShell.RegWrite myIDkey,objItem.ID,"REG_SZ"
                      myFSPKey = "HKLM\SOFTWARE\Wow6432Node\Intel\LANDesk\Inventory\Custom Fields\GPO\" & objItem.Name & "\File System Path"
                      WshShell.RegWrite myFSPkey,objItem.FileSystemPath,"REG_SZ"
                      myVERKey = "HKLM\SOFTWARE\Wow6432Node\Intel\LANDesk\Inventory\Custom Fields\GPO\" & objItem.Name & "\Version"
                      WshShell.RegWrite myVERkey,objItem.Version,"REG_SZ"
                  Next