[gptalk] Re: Determining group associated with a GPO
- From: "Northwood, Ian" <Ian.Northwood@xxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 8 Oct 2008 12:28:35 +0100
The registry contains that info for the currently logged-in user only. Our
requirement is for the script to walk the domain (or a selected OU) and
interrogate each machine for its installed software, including what's been
pushed out by GP. For locally installed software, we'll kick off a remote
removal. For GPO-pushed stuff, all we can do is determine if user is a member
of the group assocaited with the GPO. This latter requirement is why we need to
find out which group is filtered on the GPO.
Anyway, I've arrived at a solution:
- query the AD for the ProductCode and get the container name(s), plural
because there may be AD orphans containing the code. I'm researching a method
to determine which GPO is the 'live' one.
- parse that container name for the GPO's container name (is there a 'method'
to get that? I'm just looking for '{' then '}' and using what's in between!)
- get the SecurityDescriptor details for the GPO
- test if the trustee name returned is a group and, if so, add it to a
dictionary
- loop through the dictionary and test the account's membership of that group.
It's a mess at the moment but at least I know I can get the info I need. Now
all I need to do is shoe-horn my QAD script into the actual script which will
do the work.
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: 02 October 2008 16:29
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
If all you know is the product code, you will need to query every
packageRegistration object in AD to look for that product code, and then from
there you can derive the GPO name/id. But I wonder if you really have to do
that. I seem to remember that somewhere in the registry metadata on the client
that you can make the link between product code and GPO. You should investigate
that before going down the path of querying AD. I would check for you if I had
a machine with a deployed package handy.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Northwood, Ian
Sent: Thursday, October 02, 2008 7:51 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
Thanks, Darren, you're probably right.
I realise my error now. I actually don't know the GPO name (nor
therefore its ID). So, to re-phrase my question:
If I know the ProductCode (in all its forms) what query can I use to
get the group associated with the GPO containing that ProductCode? I appreciate
that there may be duplicate records but I can handle that as a separate issue.
Ian
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 02 October 2008 15:42
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
Ian,
You probably missed the response we sent to this before you had
re-subscribed. You can use the GPMC APIs to query the security on a GPO. This
makes it very easy to get at that info. Let me know if that did not answer your
question.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
Sent: Thursday, October 02, 2008 7:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Determining group associated with a GPO
Folks,
As part of a licensing audit, I have been asked to build a
script to interrogate installed software on machines. Easy enough. However, we
want to be able to determine which apps were installed per-user by Group Policy
and whether the user concerned is in the group associated with the package.
How do I query AD to determine the group associated with the
GPO, given that I know:
- all the users who have had software pushed to them having
logged into the machine (I loop through
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\[User's
SIDs]\Installer\Products\[PackedProductCode])
- the GPO name and its GUID
- the ProductCode, its packed form and its octet/byte array form
The idea is that we produce a list of accounts who appear in
the registry as having had 'Package X' installed but who are not in the
associated group.
Liverpool Victoria Friendly Society Ltd. Registered in England
and Wales. Registered Office: County Gates Bournemouth England, BH1 2NF, No.61
Coll. Financial Services Authority Register number 110035.
This email (and any attachments):
- is for its intended recipients only and may contain
confidential and /or legally privileged information. If received in error, any
use of this email is prohibited. Please delete it (and any copies) and notify
us on +44(0)1202 292333, ext. 4044.
- is believed to be free of any virus or other defect but
internet communications cannot be guaranteed to be secure or error free and we
do not accept any liability for any loss or damage from their receipt or use.
Opinions expressed in this email are not necessarily those of
the Society.
LV= and Liverpool Victoria are trade marks of Liverpool
Victoria Friendly Society Limited and LV= and LV= Liverpool Victoria are
trading styles of the Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to
and by its employees.
To find out more about us please visit: www.lv.com
<http://www.lv.com/>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security
System.
For more information please visit
http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security
System.
For more information please visit
http://www.messagelabs.com/email
______________________________________________________________________
Liverpool Victoria Friendly Society Ltd. Registered in England and
Wales. Registered Office: County Gates Bournemouth England, BH1 2NF, No.61
Coll. Financial Services Authority Register number 110035.
This email (and any attachments):
- is for its intended recipients only and may contain confidential and
/or legally privileged information. If received in error, any use of this email
is prohibited. Please delete it (and any copies) and notify us on +44(0)1202
292333, ext. 4044.
- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use.
Opinions expressed in this email are not necessarily those of the
Society.
LV= and Liverpool Victoria are trade marks of Liverpool Victoria
Friendly Society Limited and LV= and LV= Liverpool Victoria are trading styles
of the Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.
To find out more about us please visit: www.lv.com <http://www.lv.com/>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Liverpool Victoria Friendly Society Ltd. Registered in England and Wales.
Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 Coll.
Financial Services Authority Register number 110035.
This email (and any attachments):
- is for its intended recipients only and may contain confidential and/or
legally privileged information. If received in error, any use of this email is
prohibited.
Please delete it (and any copies) and notify us on +44(0)1202 292333, ext.
4044.
- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use.
Opinions expressed in this email are not necessarily those of the Society.
LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly
Society Limited and LV= and LV= Liverpool Victoria are trading styles of the
Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees. To find out more about us please visit: www.lv.com
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Other related posts:
