Jump to content


We use cookies to let you log in, for ads and for analytics. OK

Photo

Compliance check GPO with WQL

compliance



  • Please log in to reply
No replies to this topic

#1 Fraeco

Fraeco

    Member

  • Established Members
  • PipPip
  • 15 posts

Posted 09 January 2017 - 01:05 PM

Hi!

I'm trying to get compliance going because of an ongoing audit on our servers. One of the requirements is that a certain GPO is applied. I figured I'd query the ROOT\RSOP\COMPUTER namespace for RSOP_GPO. This class has the GPO name and it's enabled/disabled state.

 

I tried my WMI query and below powershell snippet returns me the GPO's that are listed in a GPRESULT on the server.

$query = "Select name,enabled from RSOP_GPO where enabled = true"
$namespace = "ROOT\RSOP\COMPUTER"
Get-WmiObject -Query $query -Namespace $Namespace | select name,enabled

I then created a CI with the following settings

  • Setting type: WQL query
  • Data type: string
  • Namespace: ROOT\RSOP\COMPUTER
  • Class: RSOP_GPO
  • Property: name
  • WQL query WHERE clause: enabled = 'true'

The hard part is getting the rule to comply. I tried the following rules: "one of: GPO name", "Contains: GPO Name", "Equals: GPO Name".

When I look up the report on my client I can see that the GPO rule is non-compliant I get the following results.

expression           current value            rule type
Contains GPO Name    Default Domain Policy    Value
Contains GPO Name    Local Group Policy       Value
Contains GPO Name    Some other GPO           Value
Contains GPO Name    Another extra GPO        Value

Strange thing is though that the GPO I'm querying against isn't in the list but I know for certain that it's applied and active.

I don't really know how to advance from here on out so I was hoping any of you guys had an insight I'm missing.

Thanks in advance!









0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users