Solved

The tool to show all the GPO settings across an entire network

Posted on 2013-05-24
18
497 Views
Last Modified: 2013-05-28
Hello all,
I am going to review and update all the GPO setting in my company. I would like to compare GPO settings in our network to see exactly what needs to be dealt with and what need to be improved. I wonder if there is a tool or a program that can show me all the GPO settings.
Aso, what are the best practices for GPO?
Thanks,
0
Comment
Question by:dongocdung
18 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 39195068
Group Policy Management Console is the tool to use.  There are also GPMC scripts that can help

http://msdn.microsoft.com/en-us/library/windows/desktop/aa814151(v=vs.85).aspx

Group Policy MVP Darren has a great presentation on some best practices from TechEd last year

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/WSV206

Thanks

Mike
0
 
LVL 2

Expert Comment

by:Chris_Ryan81
ID: 39195076
GPOs are set by domain / forest, not by network.  You would find all GPOs for a domain in the Group Policy Management console, which is Automatically on 2008 Domain controllers and would need to be installed on 2003 Domain controllers (Link: http://www.microsoft.com/en-us/download/details.aspx?id=21895)

There is no real Best Practice as a company's GPOs completely depends on the company and what type of security you are looking to uphold.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 39195088
What is the Windows version supporting your Active Directory infrastructure?

Most of the GPOs tasks can be done with the native Windows tools, exactly "Group Policy Management" console. If you have Windows 2008, 2008 R2 or 2012 this console should be present by default, if you have Windows Server 2003 you can just download it from the Microsoft Webisite:

http://www.microsoft.com/en-us/download/details.aspx?id=21895

With this tool you can make many things relate to polices, one simple one is make click on the desired policy and check the summarized settings that it has configured without open/editing the policy itself

The best practices for GPOs are going to depend for the scope and madurity level of your organization, this link can give you some basic recommendations:

http://technet.microsoft.com/en-us/library/cc779168(v=WS.10).aspx

Additionally it is strongly recommended that you create a test OU where you test tour polices, if this policy doesn't have the expected results just take the tested object outside from this OU and it will be Ok. Make this all the time before applying the polices to a bigger container, another important one... Use the Default Domain Policy just for password relate polices, the rest of the configurations make them with a new GPO linked in the container where you want to apply them

It is very important too, to understand what is the behavior of the policy that we want to apply for not having unexpected results.
0
 

Author Comment

by:dongocdung
ID: 39195127
mkline71,
I use this command ListAllGPO.wsf but it does not work. Please see it below:

C:\Users\lly>ListAllGPOs.wsf /v /ncmecad.net
'ListAllGPOs.wsf' is not recognized as an internal or external command, operable program or batch file.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39195133
Did you download the scripts

http://www.microsoft.com/en-us/download/details.aspx?id=14536

Thanks


Mike
0
 

Author Comment

by:dongocdung
ID: 39195154
Mike,
I don't want to download it to my AD now. I just downloaded to my laptop Win 7 but still could not run that command.
Thanks,
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39195179
Is the script in your lly folder?

Thanks

Mike
0
 

Author Comment

by:dongocdung
ID: 39195228
yes it was and my domain is ncmecad.net. I just tried it again but still did not work. Thanks,
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39195259
Attaching a screenshot from my lab.   The scripts go into programfiles (x86)\Microsoft Group Policy\GPMC Sample Scripts by default (you can change that during install)

For this example I used the default install path.

Then run the script

cscript listallgpos.wsf

1
Thanks


Mike
0
 
LVL 5

Expert Comment

by:d_nedelchev
ID: 39196807
If you want to manage the Group Policies from your laptop you can install the  Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) on your Windows 7 machine and use gpmc.msc to administer you domain policies.

Here is a an article that explains the steps needed to install the RSAT on your computer.

Do not forget to activate the "Windows Feature" for gpmc once you have installed the RSAT. It is explained in details in the "Important" section in the article (you can open Turn Windows features on or off by running control appwiz.cpl,,2 form command prompt or Run menu).

One more thing, this option is available only for Ultimate and Enterprice versions of Windows 7.
0
 

Author Comment

by:dongocdung
ID: 39200932
Mike,
I was on vacation. So, i could not test it on my laptop. This morning, I tried it but I received:

C:\Program Files (x86)\Microsoft Group Policy\GPMC Sample Scripts\listallgpos.ws
f(19, 2) Microsoft JScript runtime error: Automation server can't create object
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39200946
do you get the same thing if you

cscript listallgpos.wsf

Thanks

Mike
0
 

Author Comment

by:dongocdung
ID: 39200960
yes, same thing. Thanks,
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39200970
Do you have GPMC installed on your laptop?

http://www.microsoft.com/en-us/download/details.aspx?id=21895



Thanks

Mike
0
 

Author Comment

by:dongocdung
ID: 39201026
I turned on the feature "Group Policy" in the contron panel. It works. How do I do to export it to the document? Thanks,
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39201044
Just redirect it to a file

cscript listallgpos.wsf > allgpos.txt
0
 

Author Comment

by:dongocdung
ID: 39201126
Mike,
i get it.
Thanks for your time.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39201145
Glad to help, have a great week.

Thanks

Mike
0

Join & Write a Comment

Suggested Solutions

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now