I'm trying to get compliance going because of an ongoing audit on our servers. One of the requirements is that a certain GPO is applied. I figured I'd query the ROOT\RSOP\COMPUTER namespace for RSOP_GPO. This class has the GPO name and it's enabled/disabled state.
I tried my WMI query and below powershell snippet returns me the GPO's that are listed in a GPRESULT on the server.
$query = "Select name,enabled from RSOP_GPO where enabled = true" $namespace = "ROOT\RSOP\COMPUTER" Get-WmiObject -Query $query -Namespace $Namespace | select name,enabled
I then created a CI with the following settings
- Setting type: WQL query
- Data type: string
- Namespace: ROOT\RSOP\COMPUTER
- Class: RSOP_GPO
- Property: name
- WQL query WHERE clause: enabled = 'true'
The hard part is getting the rule to comply. I tried the following rules: "one of: GPO name", "Contains: GPO Name", "Equals: GPO Name".
When I look up the report on my client I can see that the GPO rule is non-compliant I get the following results.
expression current value rule type Contains GPO Name Default Domain Policy Value Contains GPO Name Local Group Policy Value Contains GPO Name Some other GPO Value Contains GPO Name Another extra GPO Value
Strange thing is though that the GPO I'm querying against isn't in the list but I know for certain that it's applied and active.
I don't really know how to advance from here on out so I was hoping any of you guys had an insight I'm missing.
Thanks in advance!