Microsoft Security Compliance Manager - compare baseline to multiple GPOs?

is there a way to merge multiple GPO's into one backup?
I have a baseline from Microsoft that I'm trying to compare to backups of my Group Policy, but the problem is, in my Group Policy, I may have both User & Computer policies applied. Where-as the  baseline is only User policies, or only computer policies . So the comparison isn't fair or is skewed, hard to understand.

I'm using this program and it has a Compare option I think only if you can Import GPOs.
I don't think it will compare a baseline to all GPO's live in your environment?
Microsoft Security Compliance Manager
http://technet.microsoft.com/en-us/library/cc677002.aspx
garryshapeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
in the past, you can compared based on XML such as using xmldiff or using AGPM but that can be more strenuous and not straightforward to understand. However, using SCM which is ideally more for 1 to 1 comparison, you can import the two GPO in SCM and compare them. You'll see below and can also export the result in an Excel file.
Settings that differ
Settings that match
Settings only in First baseline
Settings only in Second baseline
 
other then that, to compare with "merged" GPOs which I see it as 1 -N comparison using SCM, I am just not confident on accuracy.

however, there are other tool such as that may help in your use case as it claimed to allows quickly compare up to 4 Group Policy Object and also allow you to compare multiple LIVE GPO’s

GPO Compare - http://sdmsoftware.com/group-policy-management-products/group-policy-compare/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
garryshapeAuthor Commented:
Cool thanks for the info.

What about SCOM or SCCM? Would either of those be capable of achieving this?
0
btanExec ConsultantCommented:
they are delivery channel to "facilitate" push down of GPO and I dont really want to depend on them to differentiate/compare and "assume" they can which I am not certain or confident in. they probably good in getting the different or latest Windows update or Software update point mgmt but to create/compare/obtain latest GPO, that will be new and not to talk about admin or yourself is the one who determine the "new" GPO.

http://blog.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

Group Policies are great and the Windows Update Group Policies have some great functionality; unfortunately, none of them actually do anything to Software Updates in ConfigMgr. Without FCS, the most you should set in relation to Windows Updates is the Configure Automatic Updates policy to Disabled and forcing the Automatic Updates service to Automatic.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

garryshapeAuthor Commented:
Ok so here's where I'm at.

I've exported the GPO's that I downloaded from the website I'm trying to use for compliance/checking.
That website and download is here: usgcb.nist.gov/usgcb/microsoft_content.html

I imported those into Microsoft Security Compliance Manager, then from Compliance Manager, I used the Export feature to the type "SCCM DCM 2007 (.cab)".

Then in SCCM 2012, I created a Configuration baseline, importing these .cabs.
That appears to have worked.

Only challenge is, I get Discovery Error on one of them:
• Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
• Network security: Force logoff when logon hours expire

Since there's no corresponding registry entry for this setting, I cannot seem to get SCCM to evaluate it against the collections I run a compliance report against using the Configuration Baseline as long as it includes that rule. It will error out and I'll never get a "completed" summarization.

If I remove that rule from the Configuration base line collection item, it will carry out just fine.
0
btanExec ConsultantCommented:
The steps should be alright and the error seems to be as under "Unexpected Compliance Results in Desired Configuration Management" e.g. "Non existing registry hive" @ http://technet.microsoft.com/en-us/library/bb632478.aspx

can also check out Unexpected Data in Desired Configuration Management Reports in http://technet.microsoft.com/en-us/library/bb680646.aspx
that registry seems to be more for local policy as compared to domain policy per se. We may also want to try configure a new setting or browse to an existing setting on a reference computer, configure string for "Hive" that you want to search in - can check out step 4 in http://technet.microsoft.com/en-us/library/gg712331.aspx.

You can click Browse to browse to a registry location on the computer or on a remote computer. To browse a remote computer, you must have administrator rights on the remote computer and the remote computer must be running the remote registry service.

or even to certain extend set compliance rule to (Step 5)

Report noncompliance if this setting instance is not found – The configuration item reports noncompliance if this setting is not found on client computers.

Remediate noncompliant rules when supported – Select this option if you want Configuration Manager to automatically remediate noncompliant rules. Configuration Manager can automatically remediate the following rule types: e.g. Registry value – The registry value is remediated if it is noncompliant, and created if it does not exist.
0
garryshapeAuthor Commented:
way cool thanks for so much advice/help here.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.