Querying GPO policies on Domain Controller

Hello All,

I am going to start with writing fixlets that query global policies on the domain controller.
My question is whether there are different inspectors to query global policies or I can use the same inspectors that query local policies.
For eg: One of the settings i want to query is Password history must be set to 24 passwords remembered. I have referred to similar content from PCI DSS and CIS sites and they use
password history length of security database

Can i use the same for domain controllers too? Do domain controllers have local policy object applied or just the global (AD) policies? I want to be sure before I go ahead and query the security database or registry keys.

Querying the security database or the registry keys are reading the results of all applied policies (whether Domain GPO, Local Group Policy, or manually added with regedit / secedit). So yes, you’re on the right track.

This won’t tell you which group policy is applying any given setting, but that probably doesn’t matter anyway.

Don’t try to examine any of the regedit.pol files directly, I’ve been down that path and having registry.pol locked for reading by the besclient can prevent Group Policy from being applied or modified.

1 Like

ok so i was thinking of a scenario like, if i make some changes in the group policy management console and for some reason or issue, do not sync locally. The content that I create for DC is ultimately checking the registry entries which wont find my changes.
So my question was more about, whether i can query the global policies directly.

If not, makes me question the existence of separate compliance content for Domain controllers which PCI-DSS and CIS provides.

PCI and CIS provide separate checks because in some cases they require a different value to be set on a DC. Doesn’t really matter how the setting got there…

hi Jason
Hope you doing good.
I have used this “https://bigfix.me/analysis/details/2998487” analysis to find which GPOs s are applied to what servers in our domain , that was cool
But now my actual issue is to find out and collect what the setting configured in each of these GPO in our domain as we have multiple GPOs
any help please,

hi rohit
were you successful in this please share thanks q