[gptalk] Re: Determining group associated with a GPO

  • From: "Nelson, Jamie" <Jamie.Nelson@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 8 Oct 2008 10:27:39 -0500

I'll have to dig for it. Kind of busy at the moment but I'll see if I
can find it before the end of the day. J

 

Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Northwood, Ian
Sent: Wednesday, October 08, 2008 10:21 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO

 

Hey, Jamie, that'd be neat, thanks. Could you upload it to Senduit.com
and paste the resulting link into a reply, or is it available for d/l
elsewhere?

 

Ian

         

________________________________

        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
        Sent: 08 October 2008 16:18
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: Determining group associated with a GPO

        Ian,

         

        You can manually load each registry hive and search it, then
unload it when you're done...I think I actually have a VBScript class I
wrote to do such a thing.

         

        Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel
| Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/> 

         

        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
        Sent: Wednesday, October 08, 2008 9:29 AM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: Determining group associated with a GPO

         

        QAD - Quick And Dirty :)

         

        The issue with querying the registry on the target is, as I
mentioned, that it's only exposed for the currently logged-in user, e.g.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\AppMgmt\[ProductCode]. We need to find out which packages got
pushed onto a machine for all users, as the client's users do
hot-desking. This means that a machine will get, for example, MS Project
delivered to it if an appropriately permissioned user logs in to that
machine. Then, when an audit agent runs (these things generally do a
simple scan for known EXEs), it might identify 3 times as many
installations as the client has licenses for. It fails to take account
of hot-desk installs. This is the entire purpose of the script - to make
sense of this mess!

         

        So, we walk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\M
anaged\[UserSIDs]\Installer\Products\[ProductCodes], matching it against
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[ProductCodes]
. Any which appear in the latter but not the former are assumed to be
local installs (i.e. not pushed by GPO) and flagged as invalid, and
possibly force-uninstalled. The managed stuff's Product Code is queried,
the GPO found, the security-filtered group divined, then the user SID
obtained earlier tested for membership of that group. Anomalies are then
flagged in the report file produced (as we can't easily force-uninstal
GPO-pushed apps in a timely manner).

         

        Easy! LOL

         

        PS

        I've just been told I will probably need to handle an
user/group/machine exception list. Great...I'll save that for v2, I
think...

         

                 

________________________________

                From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
                Sent: 08 October 2008 14:58
                To: gptalk@xxxxxxxxxxxxx
                Subject: [gptalk] Re: Determining group associated with
a GPO

                Ian-

                So, if I follow what you are doing, you are querying AD
for all packageRegistration objects, querying their product codes and
using that as a key to associate package to registry entry on the
clients? Then you are determining what GPO that packageRegistration
object is in by parsing the DN of that that object? 

                 

                What is your 'QAD script'? Anyway, it sounds like you
have found a solution. There is probably a better solution by using the
registry metadata on the client to determine which GPO a package is part
of and whether the client is getting that GPO, but you seem to have a
way forward, so I won't mess with it J

                 

                Darren

                 

                From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
                Sent: Wednesday, October 08, 2008 4:29 AM
                To: gptalk@xxxxxxxxxxxxx
                Subject: [gptalk] Re: Determining group associated with
a GPO

                 

                The registry contains that info for the currently
logged-in user only. Our requirement is for the script to walk the
domain (or a selected OU) and interrogate each machine for its installed
software, including what's been pushed out by GP. For locally installed
software, we'll kick off a remote removal. For GPO-pushed stuff, all we
can do is determine if user is a member of the group assocaited with the
GPO. This latter requirement is why we need to find out which group is
filtered on the GPO.

                 

                Anyway, I've arrived at a solution:

                 

                - query the AD for the ProductCode and get the container
name(s), plural because there may be AD orphans containing the code. I'm
researching a method to determine which GPO is the 'live' one.

                - parse that container name for the GPO's container name
(is there a 'method' to get that? I'm just looking for '{' then '}' and
using what's in between!)

                - get the SecurityDescriptor details for the GPO

                - test if the trustee name returned is a group and, if
so, add it to a dictionary

                - loop through the dictionary and test the account's
membership of that group.

                 

                It's a mess at the moment but at least I know I can get
the info I need. Now all I need to do is shoe-horn my QAD script into
the actual script which will do the work.

                         

________________________________

                        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
                        Sent: 02 October 2008 16:29
                        To: gptalk@xxxxxxxxxxxxx
                        Subject: [gptalk] Re: Determining group
associated with a GPO

                        If all you know is the product code, you will
need to query every packageRegistration object in AD to look for that
product code, and then from there you can derive the GPO name/id.  But I
wonder if you really have to do that. I seem to remember that somewhere
in the registry metadata on the client that you can make the link
between product code and GPO. You should investigate that before going
down the path of querying AD. I would check for you if I had a machine
with a deployed package handy.

                         

                        Darren

                         

                        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
                        Sent: Thursday, October 02, 2008 7:51 AM
                        To: gptalk@xxxxxxxxxxxxx
                        Subject: [gptalk] Re: Determining group
associated with a GPO

                         

                        Thanks, Darren, you're probably right.

                         

                        I realise my error now. I actually don't know
the GPO name (nor therefore its ID). So, to re-phrase my question: 

                         

                        If I know the ProductCode (in all its forms)
what query can I use to get the group associated with the GPO containing
that ProductCode? I appreciate that there may be duplicate records but I
can handle that as a separate issue.

                         

                        Ian

                                 

________________________________

                                From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
                                Sent: 02 October 2008 15:42
                                To: gptalk@xxxxxxxxxxxxx
                                Subject: [gptalk] Re: Determining group
associated with a GPO

                                Ian,

                                You probably missed the response we sent
to this before you had re-subscribed. You can use the GPMC APIs to query
the security on a GPO. This makes it very easy to get at that info. Let
me know if that did not answer your question.

                                 

                                Darren

                                 

                                 

                                From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
                                Sent: Thursday, October 02, 2008 7:34 AM
                                To: gptalk@xxxxxxxxxxxxx
                                Subject: [gptalk] Determining group
associated with a GPO

                                 

                                Folks,

                                 

                                As part of a licensing audit, I have
been asked to build a script to interrogate installed software on
machines. Easy enough. However, we want to be able to determine which
apps were installed per-user by Group Policy and whether the user
concerned is in the group associated with the package.

                                 

                                How do I query AD to determine the group
associated with the GPO, given that I know:

                                 

                                - all the users who have had software
pushed to them having logged into the machine (I loop through
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
Managed\[User's SIDs]\Installer\Products\[PackedProductCode])

                                - the GPO name and its GUID

                                - the ProductCode, its packed form and
its octet/byte array form

                                 

                                The idea is that we produce a list of
accounts who appear in the registry as having had 'Package X' installed
but who are not in the associated group.

                                 

                                
                                Liverpool Victoria Friendly Society Ltd.
Registered in England and Wales. Registered Office: County Gates
Bournemouth England, BH1 2NF, No.61 Coll. Financial Services Authority
Register number 110035. 
                                
                                This email (and any attachments):
                                
                                - is for its intended recipients only
and may contain confidential and /or legally privileged information. If
received in error, any use of this email is prohibited. Please delete it
(and any copies) and notify us on +44(0)1202 292333, ext. 4044. 
                                
                                - is believed to be free of any virus or
other defect but internet communications cannot be guaranteed to be
secure or error free and we do not accept any liability for any loss or
damage from their receipt or use. 
                                
                                Opinions expressed in this email are not
necessarily those of the Society. 
                                LV= and Liverpool Victoria are trade
marks of Liverpool Victoria Friendly Society Limited and LV= and LV=
Liverpool Victoria are trading styles of the Liverpool Victoria group of
companies.
                                LV= reserves the right to monitor and
inspect emails sent to and by its employees.
                                
                                To find out more about us please visit:
www.lv.com <http://www.lv.com/>  
        
______________________________________________________________________
                                This email has been scanned by the
MessageLabs Email Security System.
                                For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

                                
        
______________________________________________________________________
                                This email has been scanned by the
MessageLabs Email Security System.
                                For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

                         

                        
                        Liverpool Victoria Friendly Society Ltd.
Registered in England and Wales. Registered Office: County Gates
Bournemouth England, BH1 2NF, No.61 Coll. Financial Services Authority
Register number 110035. 
                        
                        This email (and any attachments):
                        
                        - is for its intended recipients only and may
contain confidential and /or legally privileged information. If received
in error, any use of this email is prohibited. Please delete it (and any
copies) and notify us on +44(0)1202 292333, ext. 4044. 
                        
                        - is believed to be free of any virus or other
defect but internet communications cannot be guaranteed to be secure or
error free and we do not accept any liability for any loss or damage
from their receipt or use. 
                        
                        Opinions expressed in this email are not
necessarily those of the Society. 
                        LV= and Liverpool Victoria are trade marks of
Liverpool Victoria Friendly Society Limited and LV= and LV= Liverpool
Victoria are trading styles of the Liverpool Victoria group of
companies.
                        LV= reserves the right to monitor and inspect
emails sent to and by its employees.
                        
                        To find out more about us please visit:
www.lv.com <http://www.lv.com/>  
        
______________________________________________________________________
                        This email has been scanned by the MessageLabs
Email Security System.
                        For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

                        
        
______________________________________________________________________
                        This email has been scanned by the MessageLabs
Email Security System.
                        For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

                 

                
                Liverpool Victoria Friendly Society Ltd. Registered in
England and Wales. Registered Office: County Gates Bournemouth England,
BH1 2NF, No.61 Coll. Financial Services Authority Register number
110035. 
                
                This email (and any attachments):
                
                - is for its intended recipients only and may contain
confidential and /or legally privileged information. If received in
error, any use of this email is prohibited. Please delete it (and any
copies) and notify us on +44(0)1202 292333, ext. 4044. 
                
                - is believed to be free of any virus or other defect
but internet communications cannot be guaranteed to be secure or error
free and we do not accept any liability for any loss or damage from
their receipt or use. 
                
                Opinions expressed in this email are not necessarily
those of the Society. 
                LV= and Liverpool Victoria are trade marks of Liverpool
Victoria Friendly Society Limited and LV= and LV= Liverpool Victoria are
trading styles of the Liverpool Victoria group of companies.
                LV= reserves the right to monitor and inspect emails
sent to and by its employees.
                
                To find out more about us please visit: www.lv.com
<http://www.lv.com/>  
        
______________________________________________________________________
                This email has been scanned by the MessageLabs Email
Security System.
                For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

                
        
______________________________________________________________________
                This email has been scanned by the MessageLabs Email
Security System.
                For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

         

        
        Liverpool Victoria Friendly Society Ltd. Registered in England
and Wales. Registered Office: County Gates Bournemouth England, BH1 2NF,
No.61 Coll. Financial Services Authority Register number 110035. 
        
        This email (and any attachments):
        
        - is for its intended recipients only and may contain
confidential and /or legally privileged information. If received in
error, any use of this email is prohibited. Please delete it (and any
copies) and notify us on +44(0)1202 292333, ext. 4044. 
        
        - is believed to be free of any virus or other defect but
internet communications cannot be guaranteed to be secure or error free
and we do not accept any liability for any loss or damage from their
receipt or use. 
        
        Opinions expressed in this email are not necessarily those of
the Society. 
        LV= and Liverpool Victoria are trade marks of Liverpool Victoria
Friendly Society Limited and LV= and LV= Liverpool Victoria are trading
styles of the Liverpool Victoria group of companies.
        LV= reserves the right to monitor and inspect emails sent to and
by its employees.
        
        To find out more about us please visit: www.lv.com
<http://www.lv.com/>  
        
______________________________________________________________________
        This email has been scanned by the MessageLabs Email Security
System.
        For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

        
________________________________


        Confidentiality Warning: This message and any attachments are
intended only for the use of the intended recipient(s), are
confidential, and may be privileged. If you are not the intended
recipient, you are hereby notified that any review, retransmission,
conversion to hard copy, copying, circulation or other use of all or any
portion of this message and any attachments is strictly prohibited. If
you are not the intended recipient, please notify the sender immediately
by return e-mail, and delete this message and any attachments from your
system. 

        
        
______________________________________________________________________
        This email has been scanned by the MessageLabs Email Security
System.
        For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

 


Liverpool Victoria Friendly Society Ltd. Registered in England and
Wales. Registered Office: County Gates Bournemouth England, BH1 2NF,
No.61 Coll. Financial Services Authority Register number 110035. 

This email (and any attachments):

- is for its intended recipients only and may contain confidential and
/or legally privileged information. If received in error, any use of
this email is prohibited. Please delete it (and any copies) and notify
us on +44(0)1202 292333, ext. 4044. 

- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do
not accept any liability for any loss or damage from their receipt or
use. 

Opinions expressed in this email are not necessarily those of the
Society. 
LV= and Liverpool Victoria are trade marks of Liverpool Victoria
Friendly Society Limited and LV= and LV= Liverpool Victoria are trading
styles of the Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.

To find out more about us please visit: www.lv.com <http://www.lv.com/>

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Other related posts: