This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 22%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
We have to meet a lot of standards for our industry (background checks) required by TransUnion, Experian, PBSA, etc. My boss told me to find a way to validate that GPO settings have actually been applied on a users laptop/desktop computer. How do we prove to an auditor that the setting is actually in effect. I told him with either RSOP or GPResult (verbose) but his response was that those tools only show what GPO/setting is supposed to be and not what is actually set on the computer. A GPO could have five different setting and GPResult could say that the GPO has been applied but it does NOT for instance give any form of validation that the ScreenSaveTimeOut has actually been set to 5 minutes.
From my boss regarding the output of a “gpresult /v” ::
“Yes, I would accept that if it actually showed the policy setting with the proper value but it does not. It doesn’t even show a success or failure on the applied policies. I do accept this as positive confirmation that the policy application happened which was part of the requirement so that’s helpful.”
At the end of the “gpresult /v” there are a number of registry lines:
Here is some additional critical information.
We are a totally remote work force. We used to be in an office with servers but they are hosted in a datacenter as virtual machines now and
• I do NOT have the passwords for our users as that would be a security violation
• post COVID we are 100% remote,
• rarely connected via VPN,
• 95% of work is done through 3rd party web sites,
• our few server services (AD, IIS, file share, and exchange) are currently being migrated to 365/Azure
So I cannot effectively use Get-GPResultantSetOfPolicy as that powershell command is only available on servers.
So given all that; if an internal or external auditor said to remote into a workstation and prove that the actual settings/requirements are currently what they are supposed to be; how would I do it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 10%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
I'm in the same position as you David. There is absolutely no way you can verify policies are applied and you never could when everyone was on-site realistically. To be honest, it's highly likely that most policies that have been changed since COVID aren't applied.
Your answer moving forward is InTune, but that won't be a 5 minute fix.
Hello
Thank you for your question and reaching out. I can understand you are having query related to GPO settings validation.
---------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--
This doesn't help because as I mentioned, the users/computers are remote (personal house) and rarely connect to the domain.
Hilarious response from Limitless Technology. You'd think they'd read the post before replying.
Hi,
It seems you will have to convince with actual reports and output that the applied settings are indeed covered in the GPOs and as per the requirement, process should be to apply the GPOs to a test device and a test user and carry out the testing of each settings such as Screen Saver, Deskto Background, Password Policies etc.
With test user account you can extract the User GPOs - gpresult /r /scope:user
On the Test device you can extract the Device GPOs - gpresult /r /scope:computer
GPResult utility can generate an HTML report on the applied resulting policies, this report will contain detailed information about all system settings that are set by Group Policies - gpresult /h c:\reports.html
For specific account or test account - gpresult /r /user:domain\username
Combine all the reports and you should be able to present the actual settings applied and from the GPO Console export the policy reports this should be sufficient.
==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 87%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
There is a very nice product called GYTPOL which does GPO and Intune validation and remediation even for remote devices and non-domain connected workstations and servers. gytpol.com
