Reporting on Resultant Set of Policy (RSoP) using bigfix

(imported topic written by rkc91)

All

Justed wanted to get some ideas. How to one report on Resultant Set of Policy (RSoP) using Bigfix . Appreciate any feed back

rkc

(imported comment written by BenKus)

Hi rkc,

Can you give us some more information about what you are looking for? Are you referring to Microsoft’s snap-in for AD?

Ben

(imported comment written by rkc91)

Ben

Yes the snap-in results and tie it with bigfix for reporting.

I believe option we have are either to create individual properties and report on them. Or if there is a way we can leverage snap-in results and tie it to bigfix

One can create a vbscript and run it from a machine with gpmc installed. Report are publish as html file. We cannot run this from individual machines as gpmc would not be installed on all machines.

Set GPMC = CreateObject(“GPMgmt.GPM”)

Set Constants = GPMC.GetConstants()

Set RSOP= GPMC.GetRSOP(Constants.RSOPModeLogging,"",0)

RSOP.LoggingComputer=“servername”

RSOP.CreateQueryResults()

RSOP.GenerateReportToFile Constants.ReportHTML,"\sharepath\servername.html

rkc

(imported comment written by tim7ad91)

rkc,

Do you want to use GPMC, or are you more interested in the RSOP data for each client? If it’s the client, wouldn’t the “gpresult” command line tool work better? You could redirect the output to a file and parse it grabbing the data you want, or format it with HTML and create a report.

One caveat though, there will not be any “user” RSOP data because BF runs under the system account. You could try to pass the current-logged-on user with the /SCOPE user switch and try. I’m not sure if it would work. For example:

gpresult /SCOPE “USER” /USER userid

To just get the machine RSOP data you would use:

gpresult /SCOPE “COMPUTER”

FYI… Windows Help and Support (XP and later) provide an HTML report of RSOP data as well. In XP, click Start, Help and Support. Under Tasks click “Tools”, from tools select “Advanced System Information”, then “View Group Policy settings applied”. I’m not sure if there is a command line way to get to this, but if there were I believe it would have what you want.

(imported comment written by BenKus)

Hey folks,

One of our developers pointed out to me that in BES 7.0, we have implemented the following inspectors:

rsop user wmi

rsop computer wmi

Provides access to the Resulting Set of Policy WMI classes via the RsopLoggingModeProvider. This is used to examine the state of the GPO security policies.

Hope that helps,

Ben

(imported comment written by tim7ad91)

Thanks Ben… that was good to know. I wasn’t aware of the inspector or the standalone rsop.msc.

(imported comment written by rkc91)

Thanks Ben let me try that

Are there any more details on rsop inspector.

Thanks Tim7ad I already went thru that. I just wanted leverage results and tie to bigfix.

(imported comment written by rkc91)

Ben

We have 7.0 server and client

But we get this The operator “rsop computer wmi” is not defined when checking on RelevanceDebugger.exe

Any ideas

rkc

(imported comment written by BenKus)

Hi rkc,

Make sure you are using a 7.0+ version of the relevance debugger… then you can try something like:

selects “* from RSOP_GPO” of rsop computer wmi

I think this only works on Windows XP+.

Ben