[gptalk] Re: Determining group associated with a GPO

  • From: "Nelson, Jamie" <Jamie.Nelson@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 8 Oct 2008 10:18:00 -0500

Ian,

 

You can manually load each registry hive and search it, then unload it
when you're done...I think I actually have a VBScript class I wrote to
do such a thing.

 

Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Northwood, Ian
Sent: Wednesday, October 08, 2008 9:29 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO

 

QAD - Quick And Dirty :)

 

The issue with querying the registry on the target is, as I mentioned,
that it's only exposed for the currently logged-in user, e.g.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\AppMgmt\[ProductCode]. We need to find out which packages got
pushed onto a machine for all users, as the client's users do
hot-desking. This means that a machine will get, for example, MS Project
delivered to it if an appropriately permissioned user logs in to that
machine. Then, when an audit agent runs (these things generally do a
simple scan for known EXEs), it might identify 3 times as many
installations as the client has licenses for. It fails to take account
of hot-desk installs. This is the entire purpose of the script - to make
sense of this mess!

 

So, we walk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\M
anaged\[UserSIDs]\Installer\Products\[ProductCodes], matching it against
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[ProductCodes]
. Any which appear in the latter but not the former are assumed to be
local installs (i.e. not pushed by GPO) and flagged as invalid, and
possibly force-uninstalled. The managed stuff's Product Code is queried,
the GPO found, the security-filtered group divined, then the user SID
obtained earlier tested for membership of that group. Anomalies are then
flagged in the report file produced (as we can't easily force-uninstal
GPO-pushed apps in a timely manner).

 

Easy! LOL

 

PS

I've just been told I will probably need to handle an user/group/machine
exception list. Great...I'll save that for v2, I think...

 

         

________________________________

        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
        Sent: 08 October 2008 14:58
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: Determining group associated with a GPO

        Ian-

        So, if I follow what you are doing, you are querying AD for all
packageRegistration objects, querying their product codes and using that
as a key to associate package to registry entry on the clients? Then you
are determining what GPO that packageRegistration object is in by
parsing the DN of that that object? 

         

        What is your 'QAD script'? Anyway, it sounds like you have found
a solution. There is probably a better solution by using the registry
metadata on the client to determine which GPO a package is part of and
whether the client is getting that GPO, but you seem to have a way
forward, so I won't mess with it J

         

        Darren

         

        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
        Sent: Wednesday, October 08, 2008 4:29 AM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: Determining group associated with a GPO

         

        The registry contains that info for the currently logged-in user
only. Our requirement is for the script to walk the domain (or a
selected OU) and interrogate each machine for its installed software,
including what's been pushed out by GP. For locally installed software,
we'll kick off a remote removal. For GPO-pushed stuff, all we can do is
determine if user is a member of the group assocaited with the GPO. This
latter requirement is why we need to find out which group is filtered on
the GPO.

         

        Anyway, I've arrived at a solution:

         

        - query the AD for the ProductCode and get the container
name(s), plural because there may be AD orphans containing the code. I'm
researching a method to determine which GPO is the 'live' one.

        - parse that container name for the GPO's container name (is
there a 'method' to get that? I'm just looking for '{' then '}' and
using what's in between!)

        - get the SecurityDescriptor details for the GPO

        - test if the trustee name returned is a group and, if so, add
it to a dictionary

        - loop through the dictionary and test the account's membership
of that group.

         

        It's a mess at the moment but at least I know I can get the info
I need. Now all I need to do is shoe-horn my QAD script into the actual
script which will do the work.

                 

________________________________

                From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
                Sent: 02 October 2008 16:29
                To: gptalk@xxxxxxxxxxxxx
                Subject: [gptalk] Re: Determining group associated with
a GPO

                If all you know is the product code, you will need to
query every packageRegistration object in AD to look for that product
code, and then from there you can derive the GPO name/id.  But I wonder
if you really have to do that. I seem to remember that somewhere in the
registry metadata on the client that you can make the link between
product code and GPO. You should investigate that before going down the
path of querying AD. I would check for you if I had a machine with a
deployed package handy.

                 

                Darren

                 

                From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
                Sent: Thursday, October 02, 2008 7:51 AM
                To: gptalk@xxxxxxxxxxxxx
                Subject: [gptalk] Re: Determining group associated with
a GPO

                 

                Thanks, Darren, you're probably right.

                 

                I realise my error now. I actually don't know the GPO
name (nor therefore its ID). So, to re-phrase my question: 

                 

                If I know the ProductCode (in all its forms) what query
can I use to get the group associated with the GPO containing that
ProductCode? I appreciate that there may be duplicate records but I can
handle that as a separate issue.

                 

                Ian

                         

________________________________

                        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
                        Sent: 02 October 2008 15:42
                        To: gptalk@xxxxxxxxxxxxx
                        Subject: [gptalk] Re: Determining group
associated with a GPO

                        Ian,

                        You probably missed the response we sent to this
before you had re-subscribed. You can use the GPMC APIs to query the
security on a GPO. This makes it very easy to get at that info. Let me
know if that did not answer your question.

                         

                        Darren

                         

                         

                        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
                        Sent: Thursday, October 02, 2008 7:34 AM
                        To: gptalk@xxxxxxxxxxxxx
                        Subject: [gptalk] Determining group associated
with a GPO

                         

                        Folks,

                         

                        As part of a licensing audit, I have been asked
to build a script to interrogate installed software on machines. Easy
enough. However, we want to be able to determine which apps were
installed per-user by Group Policy and whether the user concerned is in
the group associated with the package.

                         

                        How do I query AD to determine the group
associated with the GPO, given that I know:

                         

                        - all the users who have had software pushed to
them having logged into the machine (I loop through
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
Managed\[User's SIDs]\Installer\Products\[PackedProductCode])

                        - the GPO name and its GUID

                        - the ProductCode, its packed form and its
octet/byte array form

                         

                        The idea is that we produce a list of accounts
who appear in the registry as having had 'Package X' installed but who
are not in the associated group.

                         

                        
                        Liverpool Victoria Friendly Society Ltd.
Registered in England and Wales. Registered Office: County Gates
Bournemouth England, BH1 2NF, No.61 Coll. Financial Services Authority
Register number 110035. 
                        
                        This email (and any attachments):
                        
                        - is for its intended recipients only and may
contain confidential and /or legally privileged information. If received
in error, any use of this email is prohibited. Please delete it (and any
copies) and notify us on +44(0)1202 292333, ext. 4044. 
                        
                        - is believed to be free of any virus or other
defect but internet communications cannot be guaranteed to be secure or
error free and we do not accept any liability for any loss or damage
from their receipt or use. 
                        
                        Opinions expressed in this email are not
necessarily those of the Society. 
                        LV= and Liverpool Victoria are trade marks of
Liverpool Victoria Friendly Society Limited and LV= and LV= Liverpool
Victoria are trading styles of the Liverpool Victoria group of
companies.
                        LV= reserves the right to monitor and inspect
emails sent to and by its employees.
                        
                        To find out more about us please visit:
www.lv.com <http://www.lv.com/>  
        
______________________________________________________________________
                        This email has been scanned by the MessageLabs
Email Security System.
                        For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

                        
        
______________________________________________________________________
                        This email has been scanned by the MessageLabs
Email Security System.
                        For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

                 

                
                Liverpool Victoria Friendly Society Ltd. Registered in
England and Wales. Registered Office: County Gates Bournemouth England,
BH1 2NF, No.61 Coll. Financial Services Authority Register number
110035. 
                
                This email (and any attachments):
                
                - is for its intended recipients only and may contain
confidential and /or legally privileged information. If received in
error, any use of this email is prohibited. Please delete it (and any
copies) and notify us on +44(0)1202 292333, ext. 4044. 
                
                - is believed to be free of any virus or other defect
but internet communications cannot be guaranteed to be secure or error
free and we do not accept any liability for any loss or damage from
their receipt or use. 
                
                Opinions expressed in this email are not necessarily
those of the Society. 
                LV= and Liverpool Victoria are trade marks of Liverpool
Victoria Friendly Society Limited and LV= and LV= Liverpool Victoria are
trading styles of the Liverpool Victoria group of companies.
                LV= reserves the right to monitor and inspect emails
sent to and by its employees.
                
                To find out more about us please visit: www.lv.com
<http://www.lv.com/>  
        
______________________________________________________________________
                This email has been scanned by the MessageLabs Email
Security System.
                For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

                
        
______________________________________________________________________
                This email has been scanned by the MessageLabs Email
Security System.
                For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

         

        
        Liverpool Victoria Friendly Society Ltd. Registered in England
and Wales. Registered Office: County Gates Bournemouth England, BH1 2NF,
No.61 Coll. Financial Services Authority Register number 110035. 
        
        This email (and any attachments):
        
        - is for its intended recipients only and may contain
confidential and /or legally privileged information. If received in
error, any use of this email is prohibited. Please delete it (and any
copies) and notify us on +44(0)1202 292333, ext. 4044. 
        
        - is believed to be free of any virus or other defect but
internet communications cannot be guaranteed to be secure or error free
and we do not accept any liability for any loss or damage from their
receipt or use. 
        
        Opinions expressed in this email are not necessarily those of
the Society. 
        LV= and Liverpool Victoria are trade marks of Liverpool Victoria
Friendly Society Limited and LV= and LV= Liverpool Victoria are trading
styles of the Liverpool Victoria group of companies.
        LV= reserves the right to monitor and inspect emails sent to and
by its employees.
        
        To find out more about us please visit: www.lv.com
<http://www.lv.com/>  
        
______________________________________________________________________
        This email has been scanned by the MessageLabs Email Security
System.
        For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

        
        
______________________________________________________________________
        This email has been scanned by the MessageLabs Email Security
System.
        For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________

 


Liverpool Victoria Friendly Society Ltd. Registered in England and
Wales. Registered Office: County Gates Bournemouth England, BH1 2NF,
No.61 Coll. Financial Services Authority Register number 110035. 

This email (and any attachments):

- is for its intended recipients only and may contain confidential and
/or legally privileged information. If received in error, any use of
this email is prohibited. Please delete it (and any copies) and notify
us on +44(0)1202 292333, ext. 4044. 

- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do
not accept any liability for any loss or damage from their receipt or
use. 

Opinions expressed in this email are not necessarily those of the
Society. 
LV= and Liverpool Victoria are trade marks of Liverpool Victoria
Friendly Society Limited and LV= and LV= Liverpool Victoria are trading
styles of the Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.

To find out more about us please visit: www.lv.com <http://www.lv.com/>

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


Confidentiality Warning: This message and any attachments are intended only for 
the use of the intended recipient(s), are confidential, and may be privileged. 
If you are not the intended recipient, you are hereby notified that any review, 
retransmission, conversion to hard copy, copying, circulation or other use of 
all or any portion of this message and any attachments is strictly prohibited. 
If you are not the intended recipient, please notify the sender immediately by 
return e-mail, and delete this message and any attachments from your system. 

Other related posts: