[gptalk] Re: Determining group associated with a GPO

  • From: "Nelson, Jamie" <Jamie.Nelson@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 30 Sep 2008 13:02:26 -0500

Yes, you should be able to query AD for groupPolicyContainer objects and
then recursively bind to each one, grab the nTSecurityDescriptor and
parse the DACL for ACE entries that have the "Apply Group Policy"
permission allowed.


From there, determining whether or not a user is in a group is fairly


Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/> 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Northwood, Ian
Sent: Tuesday, September 30, 2008 9:49 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Determining group associated with a GPO




As part of a licensing audit, I have been asked to build a script to
interrogate installed software on machines. Easy enough. However, we
want to be able to determine which apps were installed per-user by Group
Policy and whether the user concerned is in the group associated with
the package.


How do I query AD to determine the group associated with the GPO, given
that I know:


- all the users who have had software pushed to them having logged into
the machine (I loop through
Managed\[User's SIDs]\Installer\Products\[PackedProductCode])

- the GPO name and its GUID

- the ProductCode, its packed form and its octet/byte array form


The idea is that we produce a list of accounts who appear in the
registry as having had 'Package X' installed but who are not in the
associated group.


Liverpool Victoria Friendly Society Ltd. Registered in England and
Wales. Registered Office: County Gates Bournemouth England, BH1 2NF,
No.61 Coll. Financial Services Authority Register number 110035. 

This email (and any attachments):

- is for its intended recipients only and may contain confidential and
/or legally privileged information. If received in error, any use of
this email is prohibited. Please delete it (and any copies) and notify
us on +44(0)1202 292333, ext. 4044. 

- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do
not accept any liability for any loss or damage from their receipt or

Opinions expressed in this email are not necessarily those of the
LV= and Liverpool Victoria are trade marks of Liverpool Victoria
Friendly Society Limited and LV= and LV= Liverpool Victoria are trading
styles of the Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its

To find out more about us please visit: www.lv.com <http://www.lv.com/>

This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 

Confidentiality Warning: This message and any attachments are intended only for 
the use of the intended recipient(s), are confidential, and may be privileged. 
If you are not the intended recipient, you are hereby notified that any review, 
retransmission, conversion to hard copy, copying, circulation or other use of 
all or any portion of this message and any attachments is strictly prohibited. 
If you are not the intended recipient, please notify the sender immediately by 
return e-mail, and delete this message and any attachments from your system. 

Other related posts: