Jump to content



Sign in to follow this  
Fraeco

Compliance check GPO with WQL



Recommended Posts

Fraeco    0

Hi!

I'm trying to get compliance going because of an ongoing audit on our servers. One of the requirements is that a certain GPO is applied. I figured I'd query the ROOT\RSOP\COMPUTER namespace for RSOP_GPO. This class has the GPO name and it's enabled/disabled state.

 

I tried my WMI query and below powershell snippet returns me the GPO's that are listed in a GPRESULT on the server.

$query = "Select name,enabled from RSOP_GPO where enabled = true"
$namespace = "ROOT\RSOP\COMPUTER"
Get-WmiObject -Query $query -Namespace $Namespace | select name,enabled

I then created a CI with the following settings

  • Setting type: WQL query
  • Data type: string
  • Namespace: ROOT\RSOP\COMPUTER
  • Class: RSOP_GPO
  • Property: name
  • WQL query WHERE clause: enabled = 'true'

The hard part is getting the rule to comply. I tried the following rules: "one of: GPO name", "Contains: GPO Name", "Equals: GPO Name".

When I look up the report on my client I can see that the GPO rule is non-compliant I get the following results.

expression           current value            rule type
Contains GPO Name    Default Domain Policy    Value
Contains GPO Name    Local Group Policy       Value
Contains GPO Name    Some other GPO           Value
Contains GPO Name    Another extra GPO        Value

Strange thing is though that the GPO I'm querying against isn't in the list but I know for certain that it's applied and active.

I don't really know how to advance from here on out so I was hoping any of you guys had an insight I'm missing.

Thanks in advance!

Share this post


Link to post
Share on other sites


Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×