Use SCCM to find machines with an issue with GPO’s
We use GPO’s here for all kinds of things and sometime we cant figure out why a machine is acting up when a GPO should be controlling the system. Prime example is out Health startup script.
If you use SCCM Software scan to collect the GPO Database secedit.sdb then you can see when it was last updated. The GPO Database should be updated every time the GPO is applied. I set this collection for 7 days to give the machine the benefit of the doubt that it was off the network for a few days, but you could always add the last hardware scan date in it if you where doing a daily scan (which i am no longer doing and why i don't have it in the WQL query)
Collection
Run the following collection you can figure out who is having an issue.
select SMS_R_SYSTEM.ResourceID
,SMS_R_SYSTEM.ResourceType
,SMS_R_SYSTEM.Name
,SMS_R_SYSTEM.SMSUniqueIdentifier
,SMS_R_SYSTEM.ResourceDomainORWorkgroup
,SMS_R_SYSTEM.Client
from
SMS_R_System inner join SMS_G_System_SoftwareFile
on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId
where
SMS_G_System_SoftwareFile.FileName = "secedit.sdb"
and DATEDIFF(dd,SMS_G_System_SoftwareFile.ModifiedDate,GetDate()) > 7
Report
Here is a report that will show you when the GPO was last applied for machines that have a secedit.sbd older then 7 days.
select a.Name0
,a.User_Name0
,a.Operating_System_Name_and0
, CONVERT(VARCHAR(12),b.ModifiedDate,107)As "GPO Date Last Applied"
from v_R_System a join v_GS_SoftwareFile b on b.ResourceID=a.ResourceID
where b.FileName='secedit.sdb'
and DATEDIFF(dd,b.ModifiedDate,GetDate()) > 7
order by b.ModifiedDate
Now you just have to figure out why the GPO DB is not getting updated.
Special thanks to a MS PFE for this little bit of info.