Friday, September 14, 2012

How to check which GPO applied and which registry changing by GPO

Hi Guys,
I am adding one more article here because I feel it would be more benificial for all of us who worked on Microsoft platform under Administrative task, many of us worked or working with Group Policy, even I worked for many years but intresting is, I never saw which registry being changed by applying Group Policy Objects on server.

You can open RUN box from start menu, enter " RSOP.MSC" which will open a seperate window for Resultant set of Policies and you can see all policy applied to box.



Once the console opens you will be able to see which settings have been applied to your PC.
Note: Only settings that have been applied to your machine and user account will show up.



You can use command prompt as many are lover of it, When using the command line, it should be noted that you have to specify the scope of the results. To find all the policies that are applied to your user account, you would use the following command:
"gpresult /Scope User /v"  (Here you can save it to text file by adding >filename.txt)

Then if you scroll down, you will see the the Resultant Set Of Policies for User section.


If you are looking for all policies applied to your Computer, all you need to do is change the scope:
"gpresult /Scope Computer /v"

If you scroll down, now you will now see that there is a Resultant Set Of Policies for Computer section.



Now, question is, how do we check which registry settings added by modified group policy object. so we can use one of fantastic tool, Process Monitor here.

You can download it from MS Sys-Internal.
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Then extract and run it locally.
When Proc Mon opens, you will need to add a condition as follows:
"Process Name is mmc.exe then Include"
Then click the add button.



To get only the registry keys that are changed, we need add another one:
"Operation is RegSetValue then Include"
Then again click the add button.



Once the two rules have been added, you can go ahead and click ok.



Now go and open the Group Policy setting that you wish to edit.



Before you actually change the setting, switch back over to Proc Mon and clear the log.



Then go and change the GPO and click apply.



If you switch over to Proc Mon you will see that you have a registry key(s) there. Right-click on it and select the Jump To… option from the context menu.

That will fire up Regedit and take you to the exact key which was modified

No comments: