[00:03] Via part 1, you have known the roles of Group Policy as well as the RSoP GUI tool, right?
And you just prepared the administration accounts, permissions, and firewall rules+management services?
As long as you prepared the requirements well, now you can sit front a domain computer and query a bunch of remote ones.
[00:13] In this demo, I will audit a remote computer only.
So, add SnoOpy-Server-2 computer to view RSoP status remotely.
Check this box to inspect which policies have been applied to users on this computer only.
[00:38] "While the gpresult command, using the /h or /s switches, can grab a partial RSoP report, often when running it in a session as a user, it will not get the Computer Policy information due to permissions issues, or if you run that command as an administrator, it will not grab the user policy. The gpresult /v will usually grab a complete report, but in text format.
The Group Policy Management Console, accessible via most domain controllers or on other servers where the console is installed, has a convenient method of saving a complete RSoP report in HTML format" – liquidwarelabs.zendesk.com
Good job, we can fetch users of that machine.
It indicates that we have enough permissions and connectivity firstly.
The 3rd thing to note that we must ensure that services: Windows Management Instrumentation and Remote Procedure Call are running in both the server and the client computer.
[00:51] This is a policy which we just applied in part 1: "Deny Control Panel " global policy, and we can confirm that it has been applied in SnoOpy-Server-2 by using the remote RSoP status view.
A computer can use RSoP to query itself.
Do the same as the previous procedure in SnoOpy-Server-3 user of SnoOpy-Server-3 computer, and you will observe that the expected policy has been applied appropriately or not.
[1:47] "Through the Group Policy Management Console you can see all the settings that a specific GPO will apply to machines and users in that OU but because the Active Directory is hierarchical you have to drill down into further Organizational Units in order to find if a more specific GPO might be affecting the target machines" – 404techsupport.com
[2:16] "Gpresult is a command-line tool that shows the Resultant Set of Policy (RSoP) for a user or computer based on applied Group Policy settings. It ships with all versions of Windows, including Windows XP, Windows 7, Windows Server 2003 and Windows Server 2008" – searchwindowsserver.techtarget.com
Warning about insufficient permissions, we are using the local account instead of an administration one.
Don't worry, because we are using the SnoOpy-Server-3 user account, thus it can query info about this user.
[2:25] "GPResult.exe is a console administrative tool designed to analyze and diagnose group policy settings that are applied to a computer and/or user in the Active Directory domain. In particular, GPResult allows you to get the RSOP (Resultant Set of Policy) data, the list of applied domain policies (GPO), their settings and detailed information about errors during GPO processing. This tool is a part of Windows OS since Windows XP" – woshub.com
[2:39] Because the policy update process can take up to 90 minutes, to force it apply immediately, do this command in the DC and then the client, also.
Otherwise, you can't see this policy status.
[3:31] Check out part 3 about query RSoP via a CLI tool: gpresult, to see how easy bulk management is!