[gptalk] Re: 'Properly' removing software which has been installed by GP
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 15 Oct 2008 16:30:02 -0700
Ian-
The way to cleanly remove an app that has been deployed via GP is to remove
it from the GPO using the Remove function. Trying to do it from the client
is problematic unless you make sure to clean ALL the registry data
associated with the package. Otherwise, the app is removed but GP thinks its
still there and it won't be able to be reinstalled.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Northwood, Ian
Sent: Wednesday, October 15, 2008 3:18 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] 'Properly' removing software which has been installed by
GP
I now having a working script which determines if any user who logged on to
a machine is a member of any group filtered on a GPO. Phew!
Now, a new problem, hence the change to the 'Subject' line. I say 'Properly'
because I could, of course, have my script do even MORE work by determining
which components relate to which product, remove those components forcibly
(remembering to check reference-counts etc) and then MSIZAPping what's left
but there *MUST* be a recommended way of doing this using either MSIExec or
the Windows Installer object. Calling MSIExec.EXE with the relevant Product
Code (as a local admin, obviously) results in the error 'This action is only
valid for products that are currently installed.'
Ian
_____
From: tools@xxxxxxxxxx [mailto:tools@xxxxxxxxxx]
Sent: 09 October 2008 15:50
To: Northwood, Ian
Subject: RE: [gptalk] Re: Determining group associated with a GPO
Hi Ian-
No worries. As a starting point, you can check out this article. It talks
about how you can use VBScript to RSOP data related to Scripts policy.
Software Installation is just a different class name:
http://www.microsoft.com/technet/scriptcenter/topics/gp/extension2.mspx
Let me know if you have any questions.
Darren
From: Northwood, Ian [mailto:Ian.Northwood@xxxxxx]
Sent: Thursday, October 09, 2008 7:35 AM
To: Darren Mar-Elia
Subject: RE: [gptalk] Re: Determining group associated with a GPO
Hi, Darren.
Yeh, the mail guys here are on at me about it for some reason. I have no
clue why: it's not like I'm getting hundreds of message per day. Frankly, I
can't be bothered to argue with them, I'll just leave them to their petty
rules...
As for RSOP/GPMc, I looked and looked but couldn't see anything obvious but,
TBH, I think I got into one of my 'can't see the wood for the trees'
scenarios, where I was just going round in circles with GPO names, GUIDs,
product codes and so on. If you have a teensy code snippet or can point me
at an MSDN article or something, I'd appreciate it, as the script - whilst
speedy - is quite clunky IMV.
Ian
_____
From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx]
Sent: 09 October 2008 15:21
To: Northwood, Ian
Subject: FW: [gptalk] Re: Determining group associated with a GPO
Ian-
I saw that you unsubscribed from the list before I sent this-fyi.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, October 09, 2008 7:18 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
Ian-
No, I meant querying RSOP data directly in WMI. You can do this to get just
the software installation info, both per-computer and per-user. Frankly, you
could also use the registry metadata within
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy to determine if
a given user and computer had processed a particular software installation
GPO. It won't tell you the name of the product, but you could glean that
fairly easily from the policy itself.
Also, on your last question, did you look at the GPMC APIs I mentioned
earlier? Its very easy to answer the question, what groups are filtered on a
given GPO using that method.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Northwood, Ian
Sent: Thursday, October 09, 2008 12:08 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
Darren,
You mean RSOPing out to a text file then parsing that? Those reports take F
O R E V E R to be produced! And doing it user by user would take even
longer, I think. I'm happy with what I have now: it's just that the multiple
hoops I've had to jump through to get there seem so unnecessary for what, on
the face of it, is a pretty simple requirement! I still can't quite believe
there's no easy method to say "here's a GPO, what groups are filtered on
it?"
Ian
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: 08 October 2008 16:38
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
Ian -
How about using RSOP to determine which apps have been deployed to a given
user or computer? RSOP does not need the user to be logged on.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie
Sent: Wednesday, October 08, 2008 8:28 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
I'll have to dig for it. Kind of busy at the moment but I'll see if I can
find it before the end of the day. J
Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Northwood, Ian
Sent: Wednesday, October 08, 2008 10:21 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
Hey, Jamie, that'd be neat, thanks. Could you upload it to Senduit.com and
paste the resulting link into a reply, or is it available for d/l elsewhere?
Ian
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie
Sent: 08 October 2008 16:18
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
Ian,
You can manually load each registry hive and search it, then unload it when
you're done.I think I actually have a VBScript class I wrote to do such a
thing.
Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Northwood, Ian
Sent: Wednesday, October 08, 2008 9:29 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
QAD - Quick And Dirty :)
The issue with querying the registry on the target is, as I mentioned, that
it's only exposed for the currently logged-in user, e.g.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\AppMgmt\[ProductCode]. We need to find out which packages got pushed
onto a machine for all users, as the client's users do hot-desking. This
means that a machine will get, for example, MS Project delivered to it if an
appropriately permissioned user logs in to that machine. Then, when an audit
agent runs (these things generally do a simple scan for known EXEs), it
might identify 3 times as many installations as the client has licenses for.
It fails to take account of hot-desk installs. This is the entire purpose of
the script - to make sense of this mess!
So, we walk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Manag
ed\[UserSIDs]\Installer\Products\[ProductCodes], matching it against
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[ProductCodes].
Any which appear in the latter but not the former are assumed to be local
installs (i.e. not pushed by GPO) and flagged as invalid, and possibly
force-uninstalled. The managed stuff's Product Code is queried, the GPO
found, the security-filtered group divined, then the user SID obtained
earlier tested for membership of that group. Anomalies are then flagged in
the report file produced (as we can't easily force-uninstal GPO-pushed apps
in a timely manner).
Easy! LOL
PS
I've just been told I will probably need to handle an user/group/machine
exception list. Great...I'll save that for v2, I think...
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: 08 October 2008 14:58
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
Ian-
So, if I follow what you are doing, you are querying AD for all
packageRegistration objects, querying their product codes and using that as
a key to associate package to registry entry on the clients? Then you are
determining what GPO that packageRegistration object is in by parsing the DN
of that that object?
What is your 'QAD script'? Anyway, it sounds like you have found a solution.
There is probably a better solution by using the registry metadata on the
client to determine which GPO a package is part of and whether the client is
getting that GPO, but you seem to have a way forward, so I won't mess with
it J
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Northwood, Ian
Sent: Wednesday, October 08, 2008 4:29 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
The registry contains that info for the currently logged-in user only. Our
requirement is for the script to walk the domain (or a selected OU) and
interrogate each machine for its installed software, including what's been
pushed out by GP. For locally installed software, we'll kick off a remote
removal. For GPO-pushed stuff, all we can do is determine if user is a
member of the group assocaited with the GPO. This latter requirement is why
we need to find out which group is filtered on the GPO.
Anyway, I've arrived at a solution:
- query the AD for the ProductCode and get the container name(s), plural
because there may be AD orphans containing the code. I'm researching a
method to determine which GPO is the 'live' one.
- parse that container name for the GPO's container name (is there a
'method' to get that? I'm just looking for '{' then '}' and using what's in
between!)
- get the SecurityDescriptor details for the GPO
- test if the trustee name returned is a group and, if so, add it to a
dictionary
- loop through the dictionary and test the account's membership of that
group.
It's a mess at the moment but at least I know I can get the info I need. Now
all I need to do is shoe-horn my QAD script into the actual script which
will do the work.
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: 02 October 2008 16:29
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
If all you know is the product code, you will need to query every
packageRegistration object in AD to look for that product code, and then
from there you can derive the GPO name/id. But I wonder if you really have
to do that. I seem to remember that somewhere in the registry metadata on
the client that you can make the link between product code and GPO. You
should investigate that before going down the path of querying AD. I would
check for you if I had a machine with a deployed package handy.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Northwood, Ian
Sent: Thursday, October 02, 2008 7:51 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
Thanks, Darren, you're probably right.
I realise my error now. I actually don't know the GPO name (nor therefore
its ID). So, to re-phrase my question:
If I know the ProductCode (in all its forms) what query can I use to get the
group associated with the GPO containing that ProductCode? I appreciate that
there may be duplicate records but I can handle that as a separate issue.
Ian
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: 02 October 2008 15:42
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Determining group associated with a GPO
Ian,
You probably missed the response we sent to this before you had
re-subscribed. You can use the GPMC APIs to query the security on a GPO.
This makes it very easy to get at that info. Let me know if that did not
answer your question.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Northwood, Ian
Sent: Thursday, October 02, 2008 7:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Determining group associated with a GPO
Folks,
As part of a licensing audit, I have been asked to build a script to
interrogate installed software on machines. Easy enough. However, we want to
be able to determine which apps were installed per-user by Group Policy and
whether the user concerned is in the group associated with the package.
How do I query AD to determine the group associated with the GPO, given that
I know:
- all the users who have had software pushed to them having logged into the
machine (I loop through
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Mana
ged\[User's SIDs]\Installer\Products\[PackedProductCode])
- the GPO name and its GUID
- the ProductCode, its packed form and its octet/byte array form
The idea is that we produce a list of accounts who appear in the registry as
having had 'Package X' installed but who are not in the associated group.
Liverpool Victoria Friendly Society Ltd. Registered in England and Wales.
Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 Coll.
Financial Services Authority Register number 110035.
This email (and any attachments):
- is for its intended recipients only and may contain confidential and /or
legally privileged information. If received in error, any use of this email
is prohibited. Please delete it (and any copies) and notify us on +44(0)1202
292333, ext. 4044.
- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use.
Opinions expressed in this email are not necessarily those of the Society.
LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly
Society Limited and LV= and LV= Liverpool Victoria are trading styles of the
Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.
To find out more about us please visit: www.lv.com <http://www.lv.com/>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Liverpool Victoria Friendly Society Ltd. Registered in England and Wales.
Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 Coll.
Financial Services Authority Register number 110035.
This email (and any attachments):
- is for its intended recipients only and may contain confidential and /or
legally privileged information. If received in error, any use of this email
is prohibited. Please delete it (and any copies) and notify us on +44(0)1202
292333, ext. 4044.
- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use.
Opinions expressed in this email are not necessarily those of the Society.
LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly
Society Limited and LV= and LV= Liverpool Victoria are trading styles of the
Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.
To find out more about us please visit: www.lv.com <http://www.lv.com/>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Liverpool Victoria Friendly Society Ltd. Registered in England and Wales.
Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 Coll.
Financial Services Authority Register number 110035.
This email (and any attachments):
- is for its intended recipients only and may contain confidential and /or
legally privileged information. If received in error, any use of this email
is prohibited. Please delete it (and any copies) and notify us on +44(0)1202
292333, ext. 4044.
- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use.
Opinions expressed in this email are not necessarily those of the Society.
LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly
Society Limited and LV= and LV= Liverpool Victoria are trading styles of the
Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.
To find out more about us please visit: www.lv.com <http://www.lv.com/>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Liverpool Victoria Friendly Society Ltd. Registered in England and Wales.
Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 Coll.
Financial Services Authority Register number 110035.
This email (and any attachments):
- is for its intended recipients only and may contain confidential and /or
legally privileged information. If received in error, any use of this email
is prohibited. Please delete it (and any copies) and notify us on +44(0)1202
292333, ext. 4044.
- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use.
Opinions expressed in this email are not necessarily those of the Society.
LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly
Society Limited and LV= and LV= Liverpool Victoria are trading styles of the
Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.
To find out more about us please visit: www.lv.com <http://www.lv.com/>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
_____
Confidentiality Warning: This message and any attachments are intended only
for the use of the intended recipient(s), are confidential, and may be
privileged. If you are not the intended recipient, you are hereby notified
that any review, retransmission, conversion to hard copy, copying,
circulation or other use of all or any portion of this message and any
attachments is strictly prohibited. If you are not the intended recipient,
please notify the sender immediately by return e-mail, and delete this
message and any attachments from your system.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Liverpool Victoria Friendly Society Ltd. Registered in England and Wales.
Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 Coll.
Financial Services Authority Register number 110035.
This email (and any attachments):
- is for its intended recipients only and may contain confidential and /or
legally privileged information. If received in error, any use of this email
is prohibited. Please delete it (and any copies) and notify us on +44(0)1202
292333, ext. 4044.
- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use.
Opinions expressed in this email are not necessarily those of the Society.
LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly
Society Limited and LV= and LV= Liverpool Victoria are trading styles of the
Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.
To find out more about us please visit: www.lv.com <http://www.lv.com/>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Liverpool Victoria Friendly Society Ltd. Registered in England and Wales.
Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 Coll.
Financial Services Authority Register number 110035.
This email (and any attachments):
- is for its intended recipients only and may contain confidential and /or
legally privileged information. If received in error, any use of this email
is prohibited. Please delete it (and any copies) and notify us on +44(0)1202
292333, ext. 4044.
- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use.
Opinions expressed in this email are not necessarily those of the Society.
LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly
Society Limited and LV= and LV= Liverpool Victoria are trading styles of the
Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.
To find out more about us please visit: www.lv.com <http://www.lv.com/>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Liverpool Victoria Friendly Society Ltd. Registered in England and Wales.
Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 Coll.
Financial Services Authority Register number 110035.
This email (and any attachments):
- is for its intended recipients only and may contain confidential and /or
legally privileged information. If received in error, any use of this email
is prohibited. Please delete it (and any copies) and notify us on +44(0)1202
292333, ext. 4044.
- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use.
Opinions expressed in this email are not necessarily those of the Society.
LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly
Society Limited and LV= and LV= Liverpool Victoria are trading styles of the
Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.
To find out more about us please visit: www.lv.com <http://www.lv.com/>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Liverpool Victoria Friendly Society Ltd. Registered in England and Wales.
Registered Office: County Gates Bournemouth England, BH1 2NF, No.61 Coll.
Financial Services Authority Register number 110035.
This email (and any attachments):
- is for its intended recipients only and may contain confidential and /or
legally privileged information. If received in error, any use of this email
is prohibited. Please delete it (and any copies) and notify us on +44(0)1202
292333, ext. 4044.
- is believed to be free of any virus or other defect but internet
communications cannot be guaranteed to be secure or error free and we do not
accept any liability for any loss or damage from their receipt or use.
Opinions expressed in this email are not necessarily those of the Society.
LV= and Liverpool Victoria are trade marks of Liverpool Victoria Friendly
Society Limited and LV= and LV= Liverpool Victoria are trading styles of the
Liverpool Victoria group of companies.
LV= reserves the right to monitor and inspect emails sent to and by its
employees.
To find out more about us please visit: www.lv.com <http://www.lv.com/>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Other related posts:
