Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2111
  • Last Modified:

Microsoft Security Compliance Manager - compare baseline to multiple GPOs?

is there a way to merge multiple GPO's into one backup?
I have a baseline from Microsoft that I'm trying to compare to backups of my Group Policy, but the problem is, in my Group Policy, I may have both User & Computer policies applied. Where-as the  baseline is only User policies, or only computer policies . So the comparison isn't fair or is skewed, hard to understand.

I'm using this program and it has a Compare option I think only if you can Import GPOs.
I don't think it will compare a baseline to all GPO's live in your environment?
Microsoft Security Compliance Manager
  • 3
  • 3
3 Solutions
btanExec ConsultantCommented:
in the past, you can compared based on XML such as using xmldiff or using AGPM but that can be more strenuous and not straightforward to understand. However, using SCM which is ideally more for 1 to 1 comparison, you can import the two GPO in SCM and compare them. You'll see below and can also export the result in an Excel file.
Settings that differ
Settings that match
Settings only in First baseline
Settings only in Second baseline
other then that, to compare with "merged" GPOs which I see it as 1 -N comparison using SCM, I am just not confident on accuracy.

however, there are other tool such as that may help in your use case as it claimed to allows quickly compare up to 4 Group Policy Object and also allow you to compare multiple LIVE GPO’s

GPO Compare - http://sdmsoftware.com/group-policy-management-products/group-policy-compare/
garryshapeAuthor Commented:
Cool thanks for the info.

What about SCOM or SCCM? Would either of those be capable of achieving this?
btanExec ConsultantCommented:
they are delivery channel to "facilitate" push down of GPO and I dont really want to depend on them to differentiate/compare and "assume" they can which I am not certain or confident in. they probably good in getting the different or latest Windows update or Software update point mgmt but to create/compare/obtain latest GPO, that will be new and not to talk about admin or yourself is the one who determine the "new" GPO.


Group Policies are great and the Windows Update Group Policies have some great functionality; unfortunately, none of them actually do anything to Software Updates in ConfigMgr. Without FCS, the most you should set in relation to Windows Updates is the Configure Automatic Updates policy to Disabled and forcing the Automatic Updates service to Automatic.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

garryshapeAuthor Commented:
Ok so here's where I'm at.

I've exported the GPO's that I downloaded from the website I'm trying to use for compliance/checking.
That website and download is here: usgcb.nist.gov/usgcb/microsoft_content.html

I imported those into Microsoft Security Compliance Manager, then from Compliance Manager, I used the Export feature to the type "SCCM DCM 2007 (.cab)".

Then in SCCM 2012, I created a Configuration baseline, importing these .cabs.
That appears to have worked.

Only challenge is, I get Discovery Error on one of them:
• Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
• Network security: Force logoff when logon hours expire

Since there's no corresponding registry entry for this setting, I cannot seem to get SCCM to evaluate it against the collections I run a compliance report against using the Configuration Baseline as long as it includes that rule. It will error out and I'll never get a "completed" summarization.

If I remove that rule from the Configuration base line collection item, it will carry out just fine.
btanExec ConsultantCommented:
The steps should be alright and the error seems to be as under "Unexpected Compliance Results in Desired Configuration Management" e.g. "Non existing registry hive" @ http://technet.microsoft.com/en-us/library/bb632478.aspx

can also check out Unexpected Data in Desired Configuration Management Reports in http://technet.microsoft.com/en-us/library/bb680646.aspx
that registry seems to be more for local policy as compared to domain policy per se. We may also want to try configure a new setting or browse to an existing setting on a reference computer, configure string for "Hive" that you want to search in - can check out step 4 in http://technet.microsoft.com/en-us/library/gg712331.aspx.

You can click Browse to browse to a registry location on the computer or on a remote computer. To browse a remote computer, you must have administrator rights on the remote computer and the remote computer must be running the remote registry service.

or even to certain extend set compliance rule to (Step 5)

Report noncompliance if this setting instance is not found – The configuration item reports noncompliance if this setting is not found on client computers.

Remediate noncompliant rules when supported – Select this option if you want Configuration Manager to automatically remediate noncompliant rules. Configuration Manager can automatically remediate the following rule types: e.g. Registry value – The registry value is remediated if it is noncompliant, and created if it does not exist.
garryshapeAuthor Commented:
way cool thanks for so much advice/help here.

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now