?
Solved

The tool to show all the GPO settings across an entire network

Posted on 2013-05-24
18
Medium Priority
?
526 Views
Last Modified: 2013-05-28
Hello all,
I am going to review and update all the GPO setting in my company. I would like to compare GPO settings in our network to see exactly what needs to be dealt with and what need to be improved. I wonder if there is a tool or a program that can show me all the GPO settings.
Aso, what are the best practices for GPO?
Thanks,
0
Comment
Question by:dongocdung
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
18 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 39195068
Group Policy Management Console is the tool to use.  There are also GPMC scripts that can help

http://msdn.microsoft.com/en-us/library/windows/desktop/aa814151(v=vs.85).aspx

Group Policy MVP Darren has a great presentation on some best practices from TechEd last year

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/WSV206

Thanks

Mike
0
 
LVL 2

Expert Comment

by:Chris_Ryan81
ID: 39195076
GPOs are set by domain / forest, not by network.  You would find all GPOs for a domain in the Group Policy Management console, which is Automatically on 2008 Domain controllers and would need to be installed on 2003 Domain controllers (Link: http://www.microsoft.com/en-us/download/details.aspx?id=21895)

There is no real Best Practice as a company's GPOs completely depends on the company and what type of security you are looking to uphold.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 39195088
What is the Windows version supporting your Active Directory infrastructure?

Most of the GPOs tasks can be done with the native Windows tools, exactly "Group Policy Management" console. If you have Windows 2008, 2008 R2 or 2012 this console should be present by default, if you have Windows Server 2003 you can just download it from the Microsoft Webisite:

http://www.microsoft.com/en-us/download/details.aspx?id=21895

With this tool you can make many things relate to polices, one simple one is make click on the desired policy and check the summarized settings that it has configured without open/editing the policy itself

The best practices for GPOs are going to depend for the scope and madurity level of your organization, this link can give you some basic recommendations:

http://technet.microsoft.com/en-us/library/cc779168(v=WS.10).aspx

Additionally it is strongly recommended that you create a test OU where you test tour polices, if this policy doesn't have the expected results just take the tested object outside from this OU and it will be Ok. Make this all the time before applying the polices to a bigger container, another important one... Use the Default Domain Policy just for password relate polices, the rest of the configurations make them with a new GPO linked in the container where you want to apply them

It is very important too, to understand what is the behavior of the policy that we want to apply for not having unexpected results.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:dongocdung
ID: 39195127
mkline71,
I use this command ListAllGPO.wsf but it does not work. Please see it below:

C:\Users\lly>ListAllGPOs.wsf /v /ncmecad.net
'ListAllGPOs.wsf' is not recognized as an internal or external command, operable program or batch file.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39195133
Did you download the scripts

http://www.microsoft.com/en-us/download/details.aspx?id=14536

Thanks


Mike
0
 

Author Comment

by:dongocdung
ID: 39195154
Mike,
I don't want to download it to my AD now. I just downloaded to my laptop Win 7 but still could not run that command.
Thanks,
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39195179
Is the script in your lly folder?

Thanks

Mike
0
 

Author Comment

by:dongocdung
ID: 39195228
yes it was and my domain is ncmecad.net. I just tried it again but still did not work. Thanks,
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39195259
Attaching a screenshot from my lab.   The scripts go into programfiles (x86)\Microsoft Group Policy\GPMC Sample Scripts by default (you can change that during install)

For this example I used the default install path.

Then run the script

cscript listallgpos.wsf

1
Thanks


Mike
0
 
LVL 5

Expert Comment

by:d_nedelchev
ID: 39196807
If you want to manage the Group Policies from your laptop you can install the  Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) on your Windows 7 machine and use gpmc.msc to administer you domain policies.

Here is a an article that explains the steps needed to install the RSAT on your computer.

Do not forget to activate the "Windows Feature" for gpmc once you have installed the RSAT. It is explained in details in the "Important" section in the article (you can open Turn Windows features on or off by running control appwiz.cpl,,2 form command prompt or Run menu).

One more thing, this option is available only for Ultimate and Enterprice versions of Windows 7.
0
 

Author Comment

by:dongocdung
ID: 39200932
Mike,
I was on vacation. So, i could not test it on my laptop. This morning, I tried it but I received:

C:\Program Files (x86)\Microsoft Group Policy\GPMC Sample Scripts\listallgpos.ws
f(19, 2) Microsoft JScript runtime error: Automation server can't create object
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39200946
do you get the same thing if you

cscript listallgpos.wsf

Thanks

Mike
0
 

Author Comment

by:dongocdung
ID: 39200960
yes, same thing. Thanks,
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39200970
Do you have GPMC installed on your laptop?

http://www.microsoft.com/en-us/download/details.aspx?id=21895



Thanks

Mike
0
 

Author Comment

by:dongocdung
ID: 39201026
I turned on the feature "Group Policy" in the contron panel. It works. How do I do to export it to the document? Thanks,
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39201044
Just redirect it to a file

cscript listallgpos.wsf > allgpos.txt
0
 

Author Comment

by:dongocdung
ID: 39201126
Mike,
i get it.
Thanks for your time.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39201145
Glad to help, have a great week.

Thanks

Mike
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question