[gptalk] Re: Determining group associated with a GPO

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 2 Oct 2008 08:29:20 -0700

If all you know is the product code, you will need to query every
packageRegistration object in AD to look for that product code, and then
from there you can derive the GPO name/id.  But I wonder if you really have
to do that. I seem to remember that somewhere in the registry metadata on
the client that you can make the link between product code and GPO. You
should investigate that before going down the path of querying AD. I would
check for you if I had a machine with a deployed package handy.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Northwood, Ian
Sent: Thursday, October 02, 2008 7:51 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO

 

Thanks, Darren, you're probably right.

 

I realise my error now. I actually don't know the GPO name (nor therefore
its ID). So, to re-phrase my question: 

 

If I know the ProductCode (in all its forms) what query can I use to get the
group associated with the GPO containing that ProductCode? I appreciate that
there may be duplicate records but I can handle that as a separate issue.

 

Ian

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: 02 October 2008 15:42
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO

Ian,

You probably missed the response we sent to this before you had
re-subscribed. You can use the GPMC APIs to query the security on a GPO.
This makes it very easy to get at that info. Let me know if that did not
answer your question.

 

Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Northwood, Ian
Sent: Thursday, October 02, 2008 7:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Determining group associated with a GPO

 

Folks,

 

As part of a licensing audit, I have been asked to build a script to
interrogate installed software on machines. Easy enough. However, we want to
be able to determine which apps were installed per-user by Group Policy and
whether the user concerned is in the group associated with the package.

 

How do I query AD to determine the group associated with the GPO, given that
I know:

 

- all the users who have had software pushed to them having logged into the
machine (I loop through
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Mana
ged\[User's SIDs]\Installer\Products\[PackedProductCode])

- the GPO name and its GUID

- the ProductCode, its packed form and its octet/byte array form

 

The idea is that we produce a list of accounts who appear in the registry as
having had 'Package X' installed but who are not in the associated group.

 


Liverpool Victoria Friendly Society Ltd. Registered in England and Wales.
Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 Coll.
Financial Services Authority Register number 110035. 

This email (and any attachments):

- is for its intended recipients only and may contain confidential and /or
legally privileged information. If received in error, any use of this email
is prohibited. Please delete it (and any copies) and notify us on +44(0)1202
292333, ext. 4044. 

- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use. 

Opinions expressed in this email are not necessarily those of the Society. 
LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly
Society Limited and LV= and LV= Liverpool Victoria are trading styles of the
Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.

To find out more about us please visit: www.lv.com <http://www.lv.com/>  
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

 


Liverpool Victoria Friendly Society Ltd. Registered in England and Wales.
Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 Coll.
Financial Services Authority Register number 110035. 

This email (and any attachments):

- is for its intended recipients only and may contain confidential and /or
legally privileged information. If received in error, any use of this email
is prohibited. Please delete it (and any copies) and notify us on +44(0)1202
292333, ext. 4044. 

- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use. 

Opinions expressed in this email are not necessarily those of the Society. 
LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly
Society Limited and LV= and LV= Liverpool Victoria are trading styles of the
Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.

To find out more about us please visit: www.lv.com <http://www.lv.com/>  
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Other related posts: