AD GPO Result for user and computer policy

Content Authoring
1

Hi Everyone,

Would like to seek your help on getting the AD user and computer policy via bigfix.

Thanks in advance!

2

These will return the policy name and status …

//GPO - Machine
if (name of operating system does not contain “Win”) then “N/A” else if (not exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List” of registry OR not exists values “DisplayName” of keys of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List” of registry) then “N/A” else (values “DisplayName” of it, “Applied”) of keys whose (value “AccessDenied” of it != 1) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List” of registry as string;(values “DisplayName” of it, “Denied”) of keys whose (value “AccessDenied” of it != 0) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List” of registry as string

//GPO - User
if (name of operating system does not contain “Win”) then “N/A” else if (not exists current user) then “No User Logged On” else if (not exists keys of key (“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State” & (component string of sid of security account (name of current user)) & “\GPO-List”) of registry OR not exists values “DisplayName” of keys of key (“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State” & (component string of sid of security account (name of current user)) & “\GPO-List”) of registry) then “N/A” else ((values “DisplayName” of it, “Applied”) of keys whose (value “AccessDenied” of it != 1) of key (“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State” & (component string of sid of security account (name of current user)) & “\GPO-List”) of registry as string);((values “DisplayName” of it, “Denied”) of keys whose (value “AccessDenied” of it != 0) of key (“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State” & (component string of sid of security account (name of current user)) & “\GPO-List”) of registry as string)

2 Likes
3

Hi nicksberger,

Thanks for your quick reply! However, upon testing of user policy in Q&A it always result to “No User Logged On”. Can you verify if this is correct?

4

Hi nicksberger,

No need for verification, I was able to run the scripts successfully and have the needed information.

Thank you very much for your help!

1 Like
5

What result do you get in fixlet debugger -

q: exists current user

6

Result from Q&A. - A: No User Logged On

But it was queried correctly when I created in analysis for all windows computers.

7

Great analysis @nicksberger!

The challenge I see in my environment is likely similar to what Richard is seeing where ‘current user’ does not consistently provide accurate feedback depending on the OS/configuration. For computers where ‘current user’ is evaluated properly, this relevance works.

We just need from IBM a more consistent and accurate ‘current user’ evaluation.

8

You can try -

logged on user

or

number of logged on users = 1

9

QnA needs to be run in “local client evaluation” mode to get a result from that inspector.

10

I tried @nicksberger relevance in an analysis in my dev environment. However many/most of these machines were not evaluating ‘current user’ accurately. Where it did evaluate correctly, the relevance results were good.

I know that getting accurate ‘current user’ results has always been a bit challenging. It seems like it hasn’t gotten any better on 9.5.2 (that we are running).