[gptalk] Re: Determining group associated with a GPO

  • From: "Northwood, Ian" <Ian.Northwood@xxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 9 Oct 2008 08:08:01 +0100

Darren,
 
You mean RSOPing out to a text file then parsing that? Those reports take F O R 
E V E R to be produced! And doing it user by user would take even longer, I 
think. I'm happy with what I have now: it's just that the multiple hoops I've 
had to jump through to get there seem so unnecessary for what, on the face of 
it, is a pretty simple requirement! I still can't quite believe there's no easy 
method to say "here's a GPO, what groups are filtered on it?"
 
Ian


________________________________

        From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] 
On Behalf Of Darren Mar-Elia
        Sent: 08 October 2008 16:38
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: Determining group associated with a GPO
        
        

        Ian -

        How about using RSOP to determine which apps have been deployed to a 
given user or computer? RSOP does not need the user to be logged on.

         

        Darren

         

        From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] 
On Behalf Of Nelson, Jamie
        Sent: Wednesday, October 08, 2008 8:28 AM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: Determining group associated with a GPO

         

        I'll have to dig for it. Kind of busy at the moment but I'll see if I 
can find it before the end of the day. J

         

        Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | 
Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 | 
http://www.dvn.com <http://www.dvn.com/> 

         

        From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] 
On Behalf Of Northwood, Ian
        Sent: Wednesday, October 08, 2008 10:21 AM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: Determining group associated with a GPO

         

        Hey, Jamie, that'd be neat, thanks. Could you upload it to Senduit.com 
and paste the resulting link into a reply, or is it available for d/l elsewhere?

         

        Ian

                 

________________________________

                From: gptalk-bounce@xxxxxxxxxxxxx 
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
                Sent: 08 October 2008 16:18
                To: gptalk@xxxxxxxxxxxxx
                Subject: [gptalk] Re: Determining group associated with a GPO

                Ian,

                 

                You can manually load each registry hive and search it, then 
unload it when you're done...I think I actually have a VBScript class I wrote 
to do such a thing.

                 

                Jamie Nelson | Operations Consultant | BI&T 
Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 
405.200.8088 | http://www.dvn.com <http://www.dvn.com/> 

                 

                From: gptalk-bounce@xxxxxxxxxxxxx 
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
                Sent: Wednesday, October 08, 2008 9:29 AM
                To: gptalk@xxxxxxxxxxxxx
                Subject: [gptalk] Re: Determining group associated with a GPO

                 

                QAD - Quick And Dirty :)

                 

                The issue with querying the registry on the target is, as I 
mentioned, that it's only exposed for the currently logged-in user, e.g. 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group 
Policy\AppMgmt\[ProductCode]. We need to find out which packages got pushed 
onto a machine for all users, as the client's users do hot-desking. This means 
that a machine will get, for example, MS Project delivered to it if an 
appropriately permissioned user logs in to that machine. Then, when an audit 
agent runs (these things generally do a simple scan for known EXEs), it might 
identify 3 times as many installations as the client has licenses for. It fails 
to take account of hot-desk installs. This is the entire purpose of the script 
- to make sense of this mess!

                 

                So, we walk 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\[UserSIDs]\Installer\Products\[ProductCodes],
 matching it against 
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[ProductCodes]. Any 
which appear in the latter but not the former are assumed to be local installs 
(i.e. not pushed by GPO) and flagged as invalid, and possibly 
force-uninstalled. The managed stuff's Product Code is queried, the GPO found, 
the security-filtered group divined, then the user SID obtained earlier tested 
for membership of that group. Anomalies are then flagged in the report file 
produced (as we can't easily force-uninstal GPO-pushed apps in a timely manner).

                 

                Easy! LOL

                 

                PS

                I've just been told I will probably need to handle an 
user/group/machine exception list. Great...I'll save that for v2, I think...

                 

                         

________________________________

                        From: gptalk-bounce@xxxxxxxxxxxxx 
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
                        Sent: 08 October 2008 14:58
                        To: gptalk@xxxxxxxxxxxxx
                        Subject: [gptalk] Re: Determining group associated with 
a GPO

                        Ian-

                        So, if I follow what you are doing, you are querying AD 
for all packageRegistration objects, querying their product codes and using 
that as a key to associate package to registry entry on the clients? Then you 
are determining what GPO that packageRegistration object is in by parsing the 
DN of that that object? 

                         

                        What is your 'QAD script'? Anyway, it sounds like you 
have found a solution. There is probably a better solution by using the 
registry metadata on the client to determine which GPO a package is part of and 
whether the client is getting that GPO, but you seem to have a way forward, so 
I won't mess with it J

                         

                        Darren

                         

                        From: gptalk-bounce@xxxxxxxxxxxxx 
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
                        Sent: Wednesday, October 08, 2008 4:29 AM
                        To: gptalk@xxxxxxxxxxxxx
                        Subject: [gptalk] Re: Determining group associated with 
a GPO

                         

                        The registry contains that info for the currently 
logged-in user only. Our requirement is for the script to walk the domain (or a 
selected OU) and interrogate each machine for its installed software, including 
what's been pushed out by GP. For locally installed software, we'll kick off a 
remote removal. For GPO-pushed stuff, all we can do is determine if user is a 
member of the group assocaited with the GPO. This latter requirement is why we 
need to find out which group is filtered on the GPO.

                         

                        Anyway, I've arrived at a solution:

                         

                        - query the AD for the ProductCode and get the 
container name(s), plural because there may be AD orphans containing the code. 
I'm researching a method to determine which GPO is the 'live' one.

                        - parse that container name for the GPO's container 
name (is there a 'method' to get that? I'm just looking for '{' then '}' and 
using what's in between!)

                        - get the SecurityDescriptor details for the GPO

                        - test if the trustee name returned is a group and, if 
so, add it to a dictionary

                        - loop through the dictionary and test the account's 
membership of that group.

                         

                        It's a mess at the moment but at least I know I can get 
the info I need. Now all I need to do is shoe-horn my QAD script into the 
actual script which will do the work.

                                 

________________________________

                                From: gptalk-bounce@xxxxxxxxxxxxx 
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
                                Sent: 02 October 2008 16:29
                                To: gptalk@xxxxxxxxxxxxx
                                Subject: [gptalk] Re: Determining group 
associated with a GPO

                                If all you know is the product code, you will 
need to query every packageRegistration object in AD to look for that product 
code, and then from there you can derive the GPO name/id.  But I wonder if you 
really have to do that. I seem to remember that somewhere in the registry 
metadata on the client that you can make the link between product code and GPO. 
You should investigate that before going down the path of querying AD. I would 
check for you if I had a machine with a deployed package handy.

                                 

                                Darren

                                 

                                From: gptalk-bounce@xxxxxxxxxxxxx 
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
                                Sent: Thursday, October 02, 2008 7:51 AM
                                To: gptalk@xxxxxxxxxxxxx
                                Subject: [gptalk] Re: Determining group 
associated with a GPO

                                 

                                Thanks, Darren, you're probably right.

                                 

                                I realise my error now. I actually don't know 
the GPO name (nor therefore its ID). So, to re-phrase my question: 

                                 

                                If I know the ProductCode (in all its forms) 
what query can I use to get the group associated with the GPO containing that 
ProductCode? I appreciate that there may be duplicate records but I can handle 
that as a separate issue.

                                 

                                Ian

                                         

________________________________

                                        From: gptalk-bounce@xxxxxxxxxxxxx 
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
                                        Sent: 02 October 2008 15:42
                                        To: gptalk@xxxxxxxxxxxxx
                                        Subject: [gptalk] Re: Determining group 
associated with a GPO

                                        Ian,

                                        You probably missed the response we 
sent to this before you had re-subscribed. You can use the GPMC APIs to query 
the security on a GPO. This makes it very easy to get at that info. Let me know 
if that did not answer your question.

                                         

                                        Darren

                                         

                                         

                                        From: gptalk-bounce@xxxxxxxxxxxxx 
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
                                        Sent: Thursday, October 02, 2008 7:34 AM
                                        To: gptalk@xxxxxxxxxxxxx
                                        Subject: [gptalk] Determining group 
associated with a GPO

                                         

                                        Folks,

                                         

                                        As part of a licensing audit, I have 
been asked to build a script to interrogate installed software on machines. 
Easy enough. However, we want to be able to determine which apps were installed 
per-user by Group Policy and whether the user concerned is in the group 
associated with the package.

                                         

                                        How do I query AD to determine the 
group associated with the GPO, given that I know:

                                         

                                        - all the users who have had software 
pushed to them having logged into the machine (I loop through 
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\[User's
 SIDs]\Installer\Products\[PackedProductCode])

                                        - the GPO name and its GUID

                                        - the ProductCode, its packed form and 
its octet/byte array form

                                         

                                        The idea is that we produce a list of 
accounts who appear in the registry as having had 'Package X' installed but who 
are not in the associated group.

                                         

                                        
                                        Liverpool Victoria Friendly Society 
Ltd. Registered in England and Wales. Registered Office: County Gates 
Bournemouth England, BH1 2NF, No.61 Coll. Financial Services Authority Register 
number 110035. 
                                        
                                        This email (and any attachments):
                                        
                                        - is for its intended recipients only 
and may contain confidential and /or legally privileged information. If 
received in error, any use of this email is prohibited. Please delete it (and 
any copies) and notify us on +44(0)1202 292333, ext. 4044. 
                                        
                                        - is believed to be free of any virus 
or other defect but internet communications cannot be guaranteed to be secure 
or error free and we do not accept any liability for any loss or damage from 
their receipt or use. 
                                        
                                        Opinions expressed in this email are 
not necessarily those of the Society. 
                                        LV= and Liverpool Victoria are trade 
marks of Liverpool Victoria Friendly Society Limited and LV= and LV= Liverpool 
Victoria are trading styles of the Liverpool Victoria group of companies.
                                        LV= reserves the right to monitor and 
inspect emails sent to and by its employees.
                                        
                                        To find out more about us please visit: 
www.lv.com <http://www.lv.com/>  
                                        
______________________________________________________________________
                                        This email has been scanned by the 
MessageLabs Email Security System.
                                        For more information please visit 
http://www.messagelabs.com/email 
                                        
______________________________________________________________________

                                        
                                        
______________________________________________________________________
                                        This email has been scanned by the 
MessageLabs Email Security System.
                                        For more information please visit 
http://www.messagelabs.com/email 
                                        
______________________________________________________________________

                                 

                                
                                Liverpool Victoria Friendly Society Ltd. 
Registered in England and Wales. Registered Office: County Gates Bournemouth 
England, BH1 2NF, No.61 Coll. Financial Services Authority Register number 
110035. 
                                
                                This email (and any attachments):
                                
                                - is for its intended recipients only and may 
contain confidential and /or legally privileged information. If received in 
error, any use of this email is prohibited. Please delete it (and any copies) 
and notify us on +44(0)1202 292333, ext. 4044. 
                                
                                - is believed to be free of any virus or other 
defect but internet communications cannot be guaranteed to be secure or error 
free and we do not accept any liability for any loss or damage from their 
receipt or use. 
                                
                                Opinions expressed in this email are not 
necessarily those of the Society. 
                                LV= and Liverpool Victoria are trade marks of 
Liverpool Victoria Friendly Society Limited and LV= and LV= Liverpool Victoria 
are trading styles of the Liverpool Victoria group of companies.
                                LV= reserves the right to monitor and inspect 
emails sent to and by its employees.
                                
                                To find out more about us please visit: 
www.lv.com <http://www.lv.com/>  
                                
______________________________________________________________________
                                This email has been scanned by the MessageLabs 
Email Security System.
                                For more information please visit 
http://www.messagelabs.com/email 
                                
______________________________________________________________________

                                
                                
______________________________________________________________________
                                This email has been scanned by the MessageLabs 
Email Security System.
                                For more information please visit 
http://www.messagelabs.com/email 
                                
______________________________________________________________________

                         

                        
                        Liverpool Victoria Friendly Society Ltd. Registered in 
England and Wales. Registered Office: County Gates Bournemouth England, BH1 
2NF, No.61 Coll. Financial Services Authority Register number 110035. 
                        
                        This email (and any attachments):
                        
                        - is for its intended recipients only and may contain 
confidential and /or legally privileged information. If received in error, any 
use of this email is prohibited. Please delete it (and any copies) and notify 
us on +44(0)1202 292333, ext. 4044. 
                        
                        - is believed to be free of any virus or other defect 
but internet communications cannot be guaranteed to be secure or error free and 
we do not accept any liability for any loss or damage from their receipt or 
use. 
                        
                        Opinions expressed in this email are not necessarily 
those of the Society. 
                        LV= and Liverpool Victoria are trade marks of Liverpool 
Victoria Friendly Society Limited and LV= and LV= Liverpool Victoria are 
trading styles of the Liverpool Victoria group of companies.
                        LV= reserves the right to monitor and inspect emails 
sent to and by its employees.
                        
                        To find out more about us please visit: www.lv.com 
<http://www.lv.com/>  
                        
______________________________________________________________________
                        This email has been scanned by the MessageLabs Email 
Security System.
                        For more information please visit 
http://www.messagelabs.com/email 
                        
______________________________________________________________________

                        
                        
______________________________________________________________________
                        This email has been scanned by the MessageLabs Email 
Security System.
                        For more information please visit 
http://www.messagelabs.com/email 
                        
______________________________________________________________________

                 

                
                Liverpool Victoria Friendly Society Ltd. Registered in England 
and Wales. Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 
Coll. Financial Services Authority Register number 110035. 
                
                This email (and any attachments):
                
                - is for its intended recipients only and may contain 
confidential and /or legally privileged information. If received in error, any 
use of this email is prohibited. Please delete it (and any copies) and notify 
us on +44(0)1202 292333, ext. 4044. 
                
                - is believed to be free of any virus or other defect but 
internet communications cannot be guaranteed to be secure or error free and we 
do not accept any liability for any loss or damage from their receipt or use. 
                
                Opinions expressed in this email are not necessarily those of 
the Society. 
                LV= and Liverpool Victoria are trade marks of Liverpool 
Victoria Friendly Society Limited and LV= and LV= Liverpool Victoria are 
trading styles of the Liverpool Victoria group of companies.
                LV= reserves the right to monitor and inspect emails sent to 
and by its employees.
                
                To find out more about us please visit: www.lv.com 
<http://www.lv.com/>  
                
______________________________________________________________________
                This email has been scanned by the MessageLabs Email Security 
System.
                For more information please visit 
http://www.messagelabs.com/email 
                
______________________________________________________________________

                
________________________________


                Confidentiality Warning: This message and any attachments are 
intended only for the use of the intended recipient(s), are confidential, and 
may be privileged. If you are not the intended recipient, you are hereby 
notified that any review, retransmission, conversion to hard copy, copying, 
circulation or other use of all or any portion of this message and any 
attachments is strictly prohibited. If you are not the intended recipient, 
please notify the sender immediately by return e-mail, and delete this message 
and any attachments from your system. 

                
                
______________________________________________________________________
                This email has been scanned by the MessageLabs Email Security 
System.
                For more information please visit 
http://www.messagelabs.com/email 
                
______________________________________________________________________

         

        
        Liverpool Victoria Friendly Society Ltd. Registered in England and 
Wales. Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 
Coll. Financial Services Authority Register number 110035. 
        
        This email (and any attachments):
        
        - is for its intended recipients only and may contain confidential and 
/or legally privileged information. If received in error, any use of this email 
is prohibited. Please delete it (and any copies) and notify us on +44(0)1202 
292333, ext. 4044. 
        
        - is believed to be free of any virus or other defect but internet 
communications cannot be guaranteed to be secure or error free and we do not 
accept any liability for any loss or damage from their receipt or use. 
        
        Opinions expressed in this email are not necessarily those of the 
Society. 
        LV= and Liverpool Victoria are trade marks of Liverpool Victoria 
Friendly Society Limited and LV= and LV= Liverpool Victoria are trading styles 
of the Liverpool Victoria group of companies.
        LV= reserves the right to monitor and inspect emails sent to and by its 
employees.
        
        To find out more about us please visit: www.lv.com <http://www.lv.com/> 
 
        ______________________________________________________________________
        This email has been scanned by the MessageLabs Email Security System.
        For more information please visit http://www.messagelabs.com/email 
        ______________________________________________________________________


        ______________________________________________________________________
        This email has been scanned by the MessageLabs Email Security System.
        For more information please visit http://www.messagelabs.com/email 
        ______________________________________________________________________
        


Liverpool Victoria Friendly Society Ltd. Registered in England and Wales. 
Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 Coll. 
Financial Services Authority Register number 110035.

This email (and any attachments):

- is for its intended recipients only and may contain confidential and/or 
legally privileged information. If received in error, any use of this email is 
prohibited. 
Please delete it (and any copies) and notify us on +44(0)1202 292333, ext. 
4044.  

-  is believed to be free of any virus or other defect but internet 
communications cannot be guaranteed to be secure or error free and we do not 
accept any liability for any loss or damage from their receipt or use.  
Opinions expressed in this email are not necessarily those of the Society. 

LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly 
Society Limited and LV= and LV= Liverpool Victoria are trading styles of the 
Liverpool Victoria group of companies. 
LV= reserves the right to monitor and inspect emails sent to and by its 
employees.  To find out more about us please visit: www.lv.com


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Other related posts: