I want to test if a particular Computer security setting is actually set in any of our domain wide GPO’s and found this script:
…but it had typos (I corrected) and still doesn’t work.
How do I search for say these two settings?
[Policies\WindowsSettings\SecuritySettings\LocalPolicies\Security Options]
Domain member: Digitally encrypt or sign secure channel data
Domain member: Digitally encrypt secure channel data
Get-GPOReport is pretty basic.
There are lot’s of resources that show how to do GPO search with PS, those settings notwithstanding.
MS powershellgallery.com even has scripts for sort of search.
Search all GPOs in a domain for a string This is a simple Powershell script that uses the Group Policy cmdlets to search for a string within GPOs. The only input is the string to search for. 'gallery.technet.microsoft.com/scriptcenter/Search-all-GPOs-in-a-b155491c'As well as others have provided samples to experiment with… Examples I’ve looked into previously…
Find specific setting in GPO
‘powershell.org/forums/topic/find-specific-setting-in-gpo’GPO Setting Search Powershell Example
‘activedirectory.ncsu.edu/advanced-topics/scripting-center/gpo-setting-search-powershell-example’Powershell – Search all Group Policies (GPO) for a string
‘Powershell – Search all Group Policies (GPO) for a string | BritV8’Method 2: Searching Group Policy with PowerShell
‘DeployHappiness | Searching GPOs for that Specific Setting’
Find all registry settings in a managed gpo Find all Registry Settings Managed in a GPO - SDM Software Seems silly that get-gpregistryvalue doesn’t have a recursive option.
thanks postanote. The “search String” ps1 is slick but won’t find if a setting is set. I tested it using the search string “Enforce password” for which I know we have implemented in our Default Domain policy, yet the ps1 doesn’t find this setting.
So, I’ll try your other suggestions.
re:
GPO Setting Search Powershell Example 'activedirectory.ncsu.edu/advanced-topics/scripting-center/gpo-setting-search-powershell-example'
This one seems helpful provided I plug in the correct paramters however, I have yet to corroborate those with what I am seeking.
All 3 of the settings are found here: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
and the settings I want to see if enabled are:
Set Domain member: Digitally encrypt or sign secure channel data (always) to Enabled.
Set Domain member: Digitally encrypt secure channel data (when possible) to Enabled.
Set Domain member: Digitally sign secure channel data (when possible) to Enabled.
In the script, it’ll ask for
What values should I set?
You may have to check the registry entries themselves, and use process monitor (filter category = write) to figure out what registry changes happen. This is one of them:
Time of Day Process Name PID Operation Path Result Detail 2:27:46.8702663 PM services.exe 692 RegSetValue HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal SUCCESS Type: REG_DWORD, Length: 4, Data: 1
but this approach seems to be getting information from a computer that has received the setting and I’m 1) only running the script on the PDC (not a servers registry for the value) and 2) not querying the registry.
With hundreds of GPOs sitting in Sysvol, I want to query if any of those GPOs has the 3 settings set. These settings may in fact not be set. I’d like to ascertain that.
Maybe there’s some way to explore the adobjects (group policy container?) of a gpo with the settings you’re interested in. This is as far as I know. I was thinking of automating deploying printers, but never got it to work.
$gpo = Get-GPO 'requiresignorseal'
$id = $gpo.id.guid
get-adobject -filter * -SearchBase "cn={$id},cn=policies,cn=system,DC=me,DC=com" -properties *
Certainly interesting but wouldn’t know how to find the setting with these returned properties.
TypeName: Microsoft.ActiveDirectory.Management.ADObject
Name MemberType Definition
---- ---------- ----------
Contains Method bool Contains(string propertyName)
Equals Method bool Equals(System.Object obj)
GetEnumerator Method System.Collections.IDictionaryEnumerator GetEnumerator()
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
Item ParameterizedProperty Microsoft.ActiveDirectory.Management.ADPropertyValueCollection Item(string propertyName) {get;}
CanonicalName Property System.String CanonicalName {get;}
CN Property System.String CN {get;}
Created Property System.DateTime Created {get;}
createTimeStamp Property System.DateTime createTimeStamp {get;}
Deleted Property System.Boolean Deleted {get;}
Description Property System.String Description {get;set;}
DisplayName Property System.String DisplayName {get;set;}
DistinguishedName Property System.String DistinguishedName {get;set;}
dSCorePropagationData Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection dSCorePropagationData {get;}
flags Property System.Int32 flags {get;set;}
gPCFileSysPath Property System.String gPCFileSysPath {get;set;}
gPCFunctionalityVersion Property System.Int32 gPCFunctionalityVersion {get;set;}
gPCMachineExtensionNames Property System.String gPCMachineExtensionNames {get;set;}
gPCUserExtensionNames Property System.String gPCUserExtensionNames {get;set;}
gPCWQLFilter Property System.String gPCWQLFilter {get;set;}
instanceType Property System.Int32 instanceType {get;}
isCriticalSystemObject Property System.Boolean isCriticalSystemObject {get;set;}
isDeleted Property System.Boolean isDeleted {get;}
LastKnownParent Property System.String LastKnownParent {get;}
Modified Property System.DateTime Modified {get;}
modifyTimeStamp Property System.DateTime modifyTimeStamp {get;}
Name Property System.String Name {get;}
nTSecurityDescriptor Property System.DirectoryServices.ActiveDirectorySecurity nTSecurityDescriptor {get;set;}
ObjectCategory Property System.String ObjectCategory {get;}
ObjectClass Property System.String ObjectClass {get;set;}
ObjectGUID Property System.Nullable`1[[System.Guid, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] ObjectGUID {get;set;}
ProtectedFromAccidentalDeletion Property System.Boolean ProtectedFromAccidentalDeletion {get;set;}
sDRightsEffective Property System.Int32 sDRightsEffective {get;}
showInAdvancedViewOnly Property System.Boolean showInAdvancedViewOnly {get;set;}
systemFlags Property System.Int32 systemFlags {get;}
uSNChanged Property System.Int64 uSNChanged {get;}
uSNCreated Property System.Int64 uSNCreated {get;}
versionNumber Property System.Int32 versionNumber {get;set;}
whenChanged Property System.DateTime whenChanged {get;}
whenCreated Property System.DateTime whenCreated {get;}