WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!
The tool to show all the GPO settings across an entire network
Hello all,
I am going to review and update all the GPO setting in my company. I would like to compare GPO settings in our network to see exactly what needs to be dealt with and what need to be improved. I wonder if there is a tool or a program that can show me all the GPO settings.
Aso, what are the best practices for GPO?
Thanks,
I am going to review and update all the GPO setting in my company. I would like to compare GPO settings in our network to see exactly what needs to be dealt with and what need to be improved. I wonder if there is a tool or a program that can show me all the GPO settings.
Aso, what are the best practices for GPO?
Thanks,
Who is Participating?
GPOs are set by domain / forest, not by network. You would find all GPOs for a domain in the Group Policy Management console, which is Automatically on 2008 Domain controllers and would need to be installed on 2003 Domain controllers (Link: http://www.microsoft.com/en-us/download/details.aspx?id=21895)
There is no real Best Practice as a company's GPOs completely depends on the company and what type of security you are looking to uphold.
There is no real Best Practice as a company's GPOs completely depends on the company and what type of security you are looking to uphold.
What is the Windows version supporting your Active Directory infrastructure?
Most of the GPOs tasks can be done with the native Windows tools, exactly "Group Policy Management" console. If you have Windows 2008, 2008 R2 or 2012 this console should be present by default, if you have Windows Server 2003 you can just download it from the Microsoft Webisite:
http://www.microsoft.com/en-us/download/details.aspx?id=21895
With this tool you can make many things relate to polices, one simple one is make click on the desired policy and check the summarized settings that it has configured without open/editing the policy itself
The best practices for GPOs are going to depend for the scope and madurity level of your organization, this link can give you some basic recommendations:
http://technet.microsoft.com/en-us/library/cc779168(v=WS.10).aspx
Additionally it is strongly recommended that you create a test OU where you test tour polices, if this policy doesn't have the expected results just take the tested object outside from this OU and it will be Ok. Make this all the time before applying the polices to a bigger container, another important one... Use the Default Domain Policy just for password relate polices, the rest of the configurations make them with a new GPO linked in the container where you want to apply them
It is very important too, to understand what is the behavior of the policy that we want to apply for not having unexpected results.
Most of the GPOs tasks can be done with the native Windows tools, exactly "Group Policy Management" console. If you have Windows 2008, 2008 R2 or 2012 this console should be present by default, if you have Windows Server 2003 you can just download it from the Microsoft Webisite:
http://www.microsoft.com/en-us/download/details.aspx?id=21895
With this tool you can make many things relate to polices, one simple one is make click on the desired policy and check the summarized settings that it has configured without open/editing the policy itself
The best practices for GPOs are going to depend for the scope and madurity level of your organization, this link can give you some basic recommendations:
http://technet.microsoft.com/en-us/library/cc779168(v=WS.10).aspx
Additionally it is strongly recommended that you create a test OU where you test tour polices, if this policy doesn't have the expected results just take the tested object outside from this OU and it will be Ok. Make this all the time before applying the polices to a bigger container, another important one... Use the Default Domain Policy just for password relate polices, the rest of the configurations make them with a new GPO linked in the container where you want to apply them
It is very important too, to understand what is the behavior of the policy that we want to apply for not having unexpected results.
mkline71,
I use this command ListAllGPO.wsf but it does not work. Please see it below:
C:\Users\lly>ListAllGPOs.w
'ListAllGPOs.wsf' is not recognized as an internal or external command, operable program or batch file.
I use this command ListAllGPO.wsf but it does not work. Please see it below:
C:\Users\lly>ListAllGPOs.w
'ListAllGPOs.wsf' is not recognized as an internal or external command, operable program or batch file.
Did you download the scripts
http://www.microsoft.com/en-us/download/details.aspx?id=14536
Thanks
Mike
http://www.microsoft.com/en-us/download/details.aspx?id=14536
Thanks
Mike
Mike,
I don't want to download it to my AD now. I just downloaded to my laptop Win 7 but still could not run that command.
Thanks,
I don't want to download it to my AD now. I just downloaded to my laptop Win 7 but still could not run that command.
Thanks,
Attaching a screenshot from my lab. The scripts go into programfiles (x86)\Microsoft Group Policy\GPMC Sample Scripts by default (you can change that during install)
For this example I used the default install path.
Then run the script
cscript listallgpos.wsf
Thanks
Mike
For this example I used the default install path.
Then run the script
cscript listallgpos.wsf
Thanks
Mike
If you want to manage the Group Policies from your laptop you can install the Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) on your Windows 7 machine and use gpmc.msc to administer you domain policies.
Here is a an article that explains the steps needed to install the RSAT on your computer.
Do not forget to activate the "Windows Feature" for gpmc once you have installed the RSAT. It is explained in details in the "Important" section in the article (you can open Turn Windows features on or off by running control appwiz.cpl,,2 form command prompt or Run menu).
One more thing, this option is available only for Ultimate and Enterprice versions of Windows 7.
Here is a an article that explains the steps needed to install the RSAT on your computer.
Do not forget to activate the "Windows Feature" for gpmc once you have installed the RSAT. It is explained in details in the "Important" section in the article (you can open Turn Windows features on or off by running control appwiz.cpl,,2 form command prompt or Run menu).
One more thing, this option is available only for Ultimate and Enterprice versions of Windows 7.
Mike,
I was on vacation. So, i could not test it on my laptop. This morning, I tried it but I received:
C:\Program Files (x86)\Microsoft Group Policy\GPMC Sample Scripts\listallgpos.ws
f(19, 2) Microsoft JScript runtime error: Automation server can't create object
I was on vacation. So, i could not test it on my laptop. This morning, I tried it but I received:
C:\Program Files (x86)\Microsoft Group Policy\GPMC Sample Scripts\listallgpos.ws
f(19, 2) Microsoft JScript runtime error: Automation server can't create object
Do you have GPMC installed on your laptop?
http://www.microsoft.com/en-us/download/details.aspx?id=21895
Thanks
Mike
http://www.microsoft.com/en-us/download/details.aspx?id=21895
Thanks
Mike
I turned on the feature "Group Policy" in the contron panel. It works. How do I do to export it to the document? Thanks,
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month7 days, 16 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
http://msdn.microsoft.com/en-us/library/windows/desktop/aa814151(v=vs.85).aspx
Group Policy MVP Darren has a great presentation on some best practices from TechEd last year
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/WSV206
Thanks
Mike