Best way to check for GPO compliance? Having trouble with SCCM.
What is the best way to check computers on the network for compliance against Group Policies?
I have tried exporting Backups of our GPOs and converting them to .cab in Microsoft Security Compliance Manager, but that only converts to 2007 and I'm on SCCM 2012, so I'm not sure if it's 100% accurate there. Secondly, there's always some kind of issue, like it not knowing how to translate some configuration items' queries and determine if systems are compliant.
Is there a better way? I'm new to this area. Is it all commercial software solutions to "get things done" in this area? Or is there a simple free approach I'm overlooking?
There is interest in comparing USGCB baselines as well, and I can only work with their GPO backups and convert with Microsoft Security Compliance Manager, which like my own GPO backups, leads to strange issues.
I'm assuming the USGCB SCAP is a better file to use for baseline scanning?
I have tried exporting Backups of our GPOs and converting them to .cab in Microsoft Security Compliance Manager, but that only converts to 2007 and I'm on SCCM 2012, so I'm not sure if it's 100% accurate there. Secondly, there's always some kind of issue, like it not knowing how to translate some configuration items' queries and determine if systems are compliant.
Is there a better way? I'm new to this area. Is it all commercial software solutions to "get things done" in this area? Or is there a simple free approach I'm overlooking?
There is interest in comparing USGCB baselines as well, and I can only work with their GPO backups and convert with Microsoft Security Compliance Manager, which like my own GPO backups, leads to strange issues.
I'm assuming the USGCB SCAP is a better file to use for baseline scanning?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ran into one issue today, where Compliance Manager, appended the word "Equals" to the beginning of the Interactive Logon message for security group policy, and it also omitted a comma from one of the sentences in the paragraph of text.
This kind of stuff is very strange to me and I find myself having to in every single "export" and "import" to clean up the programs' mess. If not it comes back as compliant. Which leads me to believe, how do I know what's "compliant" is indeed compliant?
The criteria/expressions/value