[gptalk] 'Properly' removing software which has been installed by GP

From: "Northwood, Ian" <Ian.Northwood@xxxxxx>
To: <gptalk@xxxxxxxxxxxxx>
Date: Wed, 15 Oct 2008 11:18:11 +0100

I now having a working script which determines if any user who logged on to a
machine is a member of any group filtered on a GPO. Phew!

Now, a new problem, hence the change to the 'Subject' line. I say 'Properly'
because I could, of course, have my script do even MORE work by determining
which components relate to which product, remove those components forcibly
(remembering to check reference-counts etc) and then MSIZAPping what's left but
there *MUST* be a recommended way of doing this using either MSIExec or the
Windows Installer object. Calling MSIExec.EXE with the relevant Product Code
(as a local admin, obviously) results in the error 'This action is only valid
for products that are currently installed.'

Ian

________________________________

From: tools@xxxxxxxxxx [mailto:tools@xxxxxxxxxx]
Sent: 09 October 2008 15:50
To: Northwood, Ian
Subject: RE: [gptalk] Re: Determining group associated with a GPO

Hi Ian-

No worries. As a starting point, you can check out this article. It
talks about how you can use VBScript to RSOP data related to Scripts policy.
Software Installation is just a different class name:
http://www.microsoft.com/technet/scriptcenter/topics/gp/extension2.mspx

Let me know if you have any questions.

Darren

From: Northwood, Ian [mailto:Ian.Northwood@xxxxxx]
Sent: Thursday, October 09, 2008 7:35 AM
To: Darren Mar-Elia
Subject: RE: [gptalk] Re: Determining group associated with a GPO

Hi, Darren.

Yeh, the mail guys here are on at me about it for some reason. I have
no clue why: it's not like I'm getting hundreds of message per day. Frankly, I
can't be bothered to argue with them, I'll just leave them to their petty
rules...

As for RSOP/GPMc, I looked and looked but couldn't see anything obvious
but, TBH, I think I got into one of my 'can't see the wood for the trees'
scenarios, where I was just going round in circles with GPO names, GUIDs,
product codes and so on. If you have a teensy code snippet or can point me at
an MSDN article or something, I'd appreciate it, as the script - whilst speedy
- is quite clunky IMV.

Ian

________________________________

From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx]
Sent: 09 October 2008 15:21
To: Northwood, Ian
Subject: FW: [gptalk] Re: Determining group associated with a
GPO

Ian-

I saw that you unsubscribed from the list before I sent
this-fyi.

Darren

From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, October 09, 2008 7:18 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO

Ian-

No, I meant querying RSOP data directly in WMI. You can do this
to get just the software installation info, both per-computer and per-user.
Frankly, you could also use the registry metadata within
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy to determine if a
given user and computer had processed a particular software installation GPO.
It won't tell you the name of the product, but you could glean that fairly
easily from the policy itself.

Also, on your last question, did you look at the GPMC APIs I
mentioned earlier? Its very easy to answer the question, what groups are
filtered on a given GPO using that method.

Darren

From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
Sent: Thursday, October 09, 2008 12:08 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO

Darren,

You mean RSOPing out to a text file then parsing that? Those
reports take F O R E V E R to be produced! And doing it user by user would take
even longer, I think. I'm happy with what I have now: it's just that the
multiple hoops I've had to jump through to get there seem so unnecessary for
what, on the face of it, is a pretty simple requirement! I still can't quite
believe there's no easy method to say "here's a GPO, what groups are filtered
on it?"

Ian

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 08 October 2008 16:38
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with
a GPO

Ian -

How about using RSOP to determine which apps have been
deployed to a given user or computer? RSOP does not need the user to be logged
on.

Darren

From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
Sent: Wednesday, October 08, 2008 8:28 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with
a GPO

I'll have to dig for it. Kind of busy at the moment but
I'll see if I can find it before the end of the day. J

From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
Sent: Wednesday, October 08, 2008 10:21 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with
a GPO

Hey, Jamie, that'd be neat, thanks. Could you upload it
to Senduit.com and paste the resulting link into a reply, or is it available
for d/l elsewhere?

Ian

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
Sent: 08 October 2008 16:18
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group
associated with a GPO

Ian,

You can manually load each registry hive and
search it, then unload it when you're done...I think I actually have a VBScript
class I wrote to do such a thing.

From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
Sent: Wednesday, October 08, 2008 9:29 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group
associated with a GPO

QAD - Quick And Dirty :)

The issue with querying the registry on the
target is, as I mentioned, that it's only exposed for the currently logged-in
user, e.g. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\AppMgmt\[ProductCode]. We need to find out which packages got pushed
onto a machine for all users, as the client's users do hot-desking. This means
that a machine will get, for example, MS Project delivered to it if an
appropriately permissioned user logs in to that machine. Then, when an audit
agent runs (these things generally do a simple scan for known EXEs), it might
identify 3 times as many installations as the client has licenses for. It fails
to take account of hot-desk installs. This is the entire purpose of the script
- to make sense of this mess!

So, we walk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\[UserSIDs]\Installer\Products\[ProductCodes],
matching it against
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[ProductCodes]. Any
which appear in the latter but not the former are assumed to be local installs
(i.e. not pushed by GPO) and flagged as invalid, and possibly
force-uninstalled. The managed stuff's Product Code is queried, the GPO found,
the security-filtered group divined, then the user SID obtained earlier tested
for membership of that group. Anomalies are then flagged in the report file
produced (as we can't easily force-uninstal GPO-pushed apps in a timely manner).

Easy! LOL

I've just been told I will probably need to
handle an user/group/machine exception list. Great...I'll save that for v2, I
think...

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 08 October 2008 14:58
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group
associated with a GPO

Ian-

So, if I follow what you are doing, you
are querying AD for all packageRegistration objects, querying their product
codes and using that as a key to associate package to registry entry on the
clients? Then you are determining what GPO that packageRegistration object is
in by parsing the DN of that that object?

What is your 'QAD script'? Anyway, it
sounds like you have found a solution. There is probably a better solution by
using the registry metadata on the client to determine which GPO a package is
part of and whether the client is getting that GPO, but you seem to have a way
forward, so I won't mess with it J

Darren

From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
Sent: Wednesday, October 08, 2008 4:29
AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group
associated with a GPO

The registry contains that info for the
currently logged-in user only. Our requirement is for the script to walk the
domain (or a selected OU) and interrogate each machine for its installed
software, including what's been pushed out by GP. For locally installed
software, we'll kick off a remote removal. For GPO-pushed stuff, all we can do
is determine if user is a member of the group assocaited with the GPO. This
latter requirement is why we need to find out which group is filtered on the
GPO.

Anyway, I've arrived at a solution:

- query the AD for the ProductCode and
get the container name(s), plural because there may be AD orphans containing
the code. I'm researching a method to determine which GPO is the 'live' one.

- parse that container name for the
GPO's container name (is there a 'method' to get that? I'm just looking for '{'
then '}' and using what's in between!)

- get the SecurityDescriptor details
for the GPO

- test if the trustee name returned is
a group and, if so, add it to a dictionary

- loop through the dictionary and test
the account's membership of that group.

It's a mess at the moment but at least
I know I can get the info I need. Now all I need to do is shoe-horn my QAD
script into the actual script which will do the work.

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 02 October 2008 16:29
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group
associated with a GPO

If all you know is the product code,
you will need to query every packageRegistration object in AD to look for that
product code, and then from there you can derive the GPO name/id. But I wonder
if you really have to do that. I seem to remember that somewhere in the
registry metadata on the client that you can make the link between product code
and GPO. You should investigate that before going down the path of querying AD.
I would check for you if I had a machine with a deployed package handy.

Darren

From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
Sent: Thursday, October 02, 2008 7:51 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group
associated with a GPO

Thanks, Darren, you're probably right.

I realise my error now. I actually
don't know the GPO name (nor therefore its ID). So, to re-phrase my question:

If I know the ProductCode (in all its
forms) what query can I use to get the group associated with the GPO containing
that ProductCode? I appreciate that there may be duplicate records but I can
handle that as a separate issue.

Ian

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 02 October 2008 15:42
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group
associated with a GPO

Ian,

You probably missed the response we
sent to this before you had re-subscribed. You can use the GPMC APIs to query
the security on a GPO. This makes it very easy to get at that info. Let me know
if that did not answer your question.

Darren

From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Northwood, Ian
Sent: Thursday, October 02, 2008 7:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Determining group
associated with a GPO

Folks,

As part of a licensing audit, I have
been asked to build a script to interrogate installed software on machines.
Easy enough. However, we want to be able to determine which apps were installed
per-user by Group Policy and whether the user concerned is in the group
associated with the package.

How do I query AD to determine the
group associated with the GPO, given that I know:

- all the users who have had software
pushed to them having logged into the machine (I loop through
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\[User's
SIDs]\Installer\Products\[PackedProductCode])

- the GPO name and its GUID

- the ProductCode, its packed form and
its octet/byte array form

The idea is that we produce a list of
accounts who appear in the registry as having had 'Package X' installed but who
are not in the associated group.

Liverpool Victoria Friendly Society
Ltd. Registered in England and Wales. Registered Office: County Gates
Bournemouth England, BH1 2NF, No.61 Coll. Financial Services Authority Register
number 110035.

This email (and any attachments):

- is for its intended recipients only
and may contain confidential and /or legally privileged information. If
received in error, any use of this email is prohibited. Please delete it (and
any copies) and notify us on +44(0)1202 292333, ext. 4044.

- is believed to be free of any virus
or other defect but internet communications cannot be guaranteed to be secure
or error free and we do not accept any liability for any loss or damage from
their receipt or use.

Opinions expressed in this email are
not necessarily those of the Society.
LV= and Liverpool Victoria are trade
marks of Liverpool Victoria Friendly Society Limited and LV= and LV= Liverpool
Victoria are trading styles of the Liverpool Victoria group of companies.
LV= reserves the right to monitor and
inspect emails sent to and by its employees.

To find out more about us please visit:
www.lv.com <http://www.lv.com/>

______________________________________________________________________
This email has been scanned by the
MessageLabs Email Security System.
For more information please visit
http://www.messagelabs.com/email

______________________________________________________________________

This email (and any attachments):

To find out more about us please visit:
www.lv.com <http://www.lv.com/>

______________________________________________________________________

This email (and any attachments):

To find out more about us please visit:
www.lv.com <http://www.lv.com/>

______________________________________________________________________

Liverpool Victoria Friendly Society Ltd.
Registered in England and Wales. Registered Office: County Gates Bournemouth
England, BH1 2NF, No.61 Coll. Financial Services Authority Register number
110035.

This email (and any attachments):

- is for its intended recipients only and may
contain confidential and /or legally privileged information. If received in
error, any use of this email is prohibited. Please delete it (and any copies)
and notify us on +44(0)1202 292333, ext. 4044.

- is believed to be free of any virus or other
defect but internet communications cannot be guaranteed to be secure or error
free and we do not accept any liability for any loss or damage from their
receipt or use.

Opinions expressed in this email are not
necessarily those of the Society.
LV= and Liverpool Victoria are trade marks of
Liverpool Victoria Friendly Society Limited and LV= and LV= Liverpool Victoria
are trading styles of the Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect
emails sent to and by its employees.

To find out more about us please visit:
www.lv.com <http://www.lv.com/>

______________________________________________________________________
This email has been scanned by the MessageLabs
Email Security System.
For more information please visit
http://www.messagelabs.com/email

______________________________________________________________________

________________________________

Confidentiality Warning: This message and any
attachments are intended only for the use of the intended recipient(s), are
confidential, and may be privileged. If you are not the intended recipient, you
are hereby notified that any review, retransmission, conversion to hard copy,
copying, circulation or other use of all or any portion of this message and any
attachments is strictly prohibited. If you are not the intended recipient,
please notify the sender immediately by return e-mail, and delete this message
and any attachments from your system.

______________________________________________________________________
This email has been scanned by the MessageLabs
Email Security System.
For more information please visit
http://www.messagelabs.com/email

______________________________________________________________________

Liverpool Victoria Friendly Society Ltd. Registered in
England and Wales. Registered Office: County Gates Bournemouth England, BH1
2NF, No.61 Coll. Financial Services Authority Register number 110035.

This email (and any attachments):

- is for its intended recipients only and may contain
confidential and /or legally privileged information. If received in error, any
use of this email is prohibited. Please delete it (and any copies) and notify
us on +44(0)1202 292333, ext. 4044.

- is believed to be free of any virus or other defect
but internet communications cannot be guaranteed to be secure or error free and
we do not accept any liability for any loss or damage from their receipt or
use.

Opinions expressed in this email are not necessarily
those of the Society.
LV= and Liverpool Victoria are trade marks of Liverpool
Victoria Friendly Society Limited and LV= and LV= Liverpool Victoria are
trading styles of the Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails
sent to and by its employees.

To find out more about us please visit: www.lv.com
<http://www.lv.com/>

______________________________________________________________________
This email has been scanned by the MessageLabs Email
Security System.
For more information please visit
http://www.messagelabs.com/email

______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email
Security System.
For more information please visit
http://www.messagelabs.com/email

______________________________________________________________________

Liverpool Victoria Friendly Society Ltd. Registered in England
and Wales. Registered Office: County Gates Bournemouth England, BH1 2NF, No.61
Coll. Financial Services Authority Register number 110035.

This email (and any attachments):

- is for its intended recipients only and may contain
confidential and /or legally privileged information. If received in error, any
use of this email is prohibited. Please delete it (and any copies) and notify
us on +44(0)1202 292333, ext. 4044.

- is believed to be free of any virus or other defect but
internet communications cannot be guaranteed to be secure or error free and we
do not accept any liability for any loss or damage from their receipt or use.

Opinions expressed in this email are not necessarily those of
the Society.
LV= and Liverpool Victoria are trade marks of Liverpool
Victoria Friendly Society Limited and LV= and LV= Liverpool Victoria are
trading styles of the Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to
and by its employees.

To find out more about us please visit: www.lv.com
<http://www.lv.com/>

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security
System.
For more information please visit
http://www.messagelabs.com/email

______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security
System.
For more information please visit
http://www.messagelabs.com/email

______________________________________________________________________

Liverpool Victoria Friendly Society Ltd. Registered in England and
Wales. Registered Office: County Gates Bournemouth England, BH1 2NF, No.61
Coll. Financial Services Authority Register number 110035.

This email (and any attachments):

- is for its intended recipients only and may contain confidential and
/or legally privileged information. If received in error, any use of this email
is prohibited. Please delete it (and any copies) and notify us on +44(0)1202
292333, ext. 4044.

- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use.

Opinions expressed in this email are not necessarily those of the
Society.
LV= and Liverpool Victoria are trade marks of Liverpool Victoria
Friendly Society Limited and LV= and LV= Liverpool Victoria are trading styles
of the Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.

To find out more about us please visit: www.lv.com <http://www.lv.com/>

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

Liverpool Victoria Friendly Society Ltd. Registered in England and Wales.
Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 Coll.
Financial Services Authority Register number 110035.

This email (and any attachments):

- is for its intended recipients only and may contain confidential and/or
legally privileged information. If received in error, any use of this email is
prohibited.
Please delete it (and any copies) and notify us on +44(0)1202 292333, ext.
4044.

- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use.
Opinions expressed in this email are not necessarily those of the Society.

LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly
Society Limited and LV= and LV= Liverpool Victoria are trading styles of the
Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees. To find out more about us please visit: www.lv.com

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

Follow-Ups:
- [gptalk] Re: 'Properly' removing software which has been installed by GP
  - From: Darren Mar-Elia

[gptalk] 'Properly' removing software which has been installed by GP

Other related posts: