Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Check GPO Settings are applied to servers in OU

Created: 14 Mar 2011 | 4 comments

In both RMS or CCS R&A, I want to take the GPO settings that an OU is linked to and run a check to verify that all the GPO settings actually applied to the servers in that OU.  So basically, I want to check the local security policy settings. 

In RMS:

  • I have a query created to show all settings listed in a particular GPO.  Then I have an RMS query that lists all the local settings applied to a server. 
  • I cannot just rely on Active Directory to apply the GPO without occasionally auditing that they are applying correctly.  Is there an easy way to compare a GPO and the settings that are actually applied to a server to verify all are applying correctly? 
  • Or, how do I easily take results of an RMS query on a particular machine and use it to verify settings on a set of machines?  Do I have to manually put into the Filter of a new query? 

In CCS R&A:

  • Is there a way to import the results of an RMS query to create checks within a Standard?
  • Is there another way to create a Standard's checks based on a GPO?

Hope this makes sense.

Thanks,

Aaron

Comments 4 CommentsJump to latest comment

VSK's picture

Hi Aaron,

I think, at this point, there is no way to verify the rsop data on the computers....also, no way to import query  results into checks....I think, you can call support, and request a feature request to be  created....

-VSK

ahumphries's picture

VKalani,

Thanks for your reply.  I figured since I did not get any quick replies that this was either not possible yet or fairly complex. 

Here's what I ended up doing:

Whiile having the Group Policy Management Console up and viewing the GPO in another window, 

  • selected a predefined Standard - in this case one of the Regulatory Standards, NIST...CIS Windows Server 2003 Legacy... which I had originally based most of our baseline security standards upon
  • copied/pasted various checks to create a new custom Standard 
  • modified the predefined settings in this new Standard to match our baseline GPO settings.
  • completed Data Collection and Evaluation based on this new Standard.

Aaron

kevin_stultz's picture

Aaron,

As you noted there isn't a GPO to CCS Standard creation tool - please do put in a feature request.  I did want to note that you can add the container a servers resides as a field for CCS asset.  The asset import job will populate and maintain this field after it is added.  This allows you to then manage assets within CCS by container - ie can create asset groups based on the container the server resides in. 

Kevin

ahumphries's picture

Kevin - I will open a feature request with support.
Also, thanks for the tip on adding Container.  I might give this a try.

Thanks,

Aaron