Computer RSOP Policies applied MOF Edit
On the mssms list, Tom Watson and Jeff Gilbert came up with a mof edit to gather RSOP (Resultant Set Of Policies) applied to a computer. Since Tom doesn't have a blog, I got his permission to post the edit here.
Add this to the bottom of sms_def.mof on your primary site server(s) inboxes\clifiles.src\hinv. No changes to configuration.mof necessary. Additionally, if you are still on SMS2003, because this is a WMI type edit, no mofcomp on your sms2003 clients is necessary, either.
// <:[-<>>>>>>Start>>-Computer RSOP Audit-<<Start<<<<<>-]:>
// Contributed by Tom Watson / Jeff Gilbert
#pragma namespace("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Audit_Policy", NOFAIL)
[SMS_Report(TRUE),
SMS_Group_Name("Audit Policy"),
Namespace ("\\\\\\\\.\\\\ROOT\\\\RSOP\\\\Computer"),
SMS_Class_ID("CUSTOM|Audit_Policy|1.0")]
Class RSOP_AuditPolicy: SMS_Class_Template
{
[SMS_Report(TRUE),Key] string Category;
[SMS_Report(TRUE)] boolean Failure;
[SMS_Report(TRUE)] boolean Success;
[SMS_Report(TRUE),Key] uint32 precedence;
};
// <:[-<>>>>>>>END>>-Computer RSOP Audit-<<END<<<<<<<<>-]:>
Per Tom, you'll get results back that look something like this:
|
Category |
Failure |
precedence |
Success |
|
AuditAccountLogon |
1 |
1 |
1 |
|
AuditAccountLogon |
1 |
2 |
1 |
|
AuditAccountManage |
1 |
1 |
1 |
|
AuditAccountManage |
1 |
2 |
1 |
|
AuditDSAccess |
1 |
1 |
0 |
|
AuditLogonEvents |
1 |
2 |
1 |
|
AuditLogonEvents |
1 |
1 |
1 |
|
AuditPolicyChange |
1 |
2 |
1 |
|
AuditPolicyChange |
1 |
1 |
1 |
|
AuditSystemEvents |
1 |
2 |
1 |
|
AuditSystemEvents |
1 |
1 |
1 |
According to http://msdn.microsoft.com/en-us/library/aa375041(VS.85).aspx , the "winning" setting (the one that is actually applied) is represented by the instance whose precedence is equal to 1.
With that in mind, here's a sample report; where you would create a @variable prompt for a computer name.
SELECT sys.Netbios_Name0
,aud.Category0
,aud.Success0
,aud.Failure0
FROM dbo.v_GS_Audit_Policy0 aud
JOIN dbo.v_R_System sys
ON sys.ResourceID = aud.ResourceID
WHERE aud.precedence0 = '1'
AND sys.Netbios_Name0 = @variable
Edit: After reviewing this entry, in my personal opinion, I think the GPOId is useful, so you might want to use this mof edit instead:
// <:[-<>>>>>>Start>>-Computer RSOP Audit-<<Start<<<<<>-]:>
// Contributed by Tom Watson / Jeff Gilbert / Sherry Kissinger
#pragma namespace("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Audit_Policy", NOFAIL)
[SMS_Report(TRUE),
SMS_Group_Name("Audit Policy"),
Namespace ("\\\\\\\\.\\\\ROOT\\\\RSOP\\\\Computer"),
SMS_Class_ID("CUSTOM|Audit_Policy|1.0")]
Class RSOP_AuditPolicy: SMS_Class_Template
{
[SMS_Report(TRUE),Key] string Category;
[SMS_Report(TRUE)] boolean Failure;
[SMS_Report(TRUE),Key] string GPOID;
[SMS_Report(TRUE)] boolean Success;
[SMS_Report(TRUE),Key] uint32 precedence;
};
// <:[-<>>>>>>>END>>-Computer RSOP Audit-<<END<<<<<<<<>-]:>
That will return a value like CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=YourDomain,DC=com