Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Check GPO Settings are applied to servers in OU

Created: 14 Mar 2011 | 4 comments

In both RMS or CCS R&A, I want to take the GPO settings that an OU is linked to and run a check to verify that all the GPO settings actually applied to the servers in that OU.  So basically, I want to check the local security policy settings. 

In RMS:

  • I have a query created to show all settings listed in a particular GPO.  Then I have an RMS query that lists all the local settings applied to a server. 
  • I cannot just rely on Active Directory to apply the GPO without occasionally auditing that they are applying correctly.  Is there an easy way to compare a GPO and the settings that are actually applied to a server to verify all are applying correctly? 
  • Or, how do I easily take results of an RMS query on a particular machine and use it to verify settings on a set of machines?  Do I have to manually put into the Filter of a new query? 

In CCS R&A:

  • Is there a way to import the results of an RMS query to create checks within a Standard?
  • Is there another way to create a Standard's checks based on a GPO?

Hope this makes sense.

Thanks,

Aaron

Comments 4 CommentsJump to latest comment

VSK's picture

Hi Aaron,

I think, at this point, there is no way to verify the rsop data on the computers....also, no way to import query  results into checks....I think, you can call support, and request a feature request to be  created....

-VSK

ahumphries's picture

VKalani,

Thanks for your reply.  I figured since I did not get any quick replies that this was either not possible yet or fairly complex. 

Here's what I ended up doing:

Whiile having the Group Policy Management Console up and viewing the GPO in another window, 

  • selected a predefined Standard - in this case one of the Regulatory Standards, NIST...CIS Windows Server 2003 Legacy... which I had originally based most of our baseline security standards upon
  • copied/pasted various checks to create a new custom Standard 
  • modified the predefined settings in this new Standard to match our baseline GPO settings.
  • completed Data Collection and Evaluation based on this new Standard.

Aaron

kevin_stultz's picture

Aaron,

As you noted there isn't a GPO to CCS Standard creation tool - please do put in a feature request.  I did want to note that you can add the container a servers resides as a field for CCS asset.  The asset import job will populate and maintain this field after it is added.  This allows you to then manage assets within CCS by container - ie can create asset groups based on the container the server resides in. 

Kevin

ahumphries's picture

Kevin - I will open a feature request with support.
Also, thanks for the tip on adding Container.  I might give this a try.

Thanks,

Aaron