How can I VALIDATE that GPO settings have actually been applied and we are 100% remote?

Question

We have to meet a lot of standards for our industry (background checks) required by TransUnion, Experian, PBSA, etc. My boss told me to find a way to validate that GPO settings have actually been applied on a users laptop/desktop computer. How do we prove to an auditor that the setting is actually in effect. I told him with either RSOP or GPResult (verbose) but his response was that those tools only show what GPO/setting is supposed to be and not what is actually set on the computer. A GPO could have five different setting and GPResult could say that the GPO has been applied but it does NOT for instance give any form of validation that the ScreenSaveTimeOut has actually been set to 5 minutes.

From my boss regarding the output of a “gpresult /v” ::
“Yes, I would accept that if it actually showed the policy setting with the proper value but it does not. It doesn’t even show a success or failure on the applied policies. I do accept this as positive confirmation that the policy application happened which was part of the requirement so that’s helpful.”

At the end of the “gpresult /v” there are a number of registry lines:

• Are these just what the values should be in the registry based on the RSOP ?
• Or is this a list of the actual values of the keys as they currently are ?

Here is some additional critical information.

We are a totally remote work force. We used to be in an office with servers but they are hosted in a datacenter as virtual machines now and
• I do NOT have the passwords for our users as that would be a security violation
• post COVID we are 100% remote,
• rarely connected via VPN,
• 95% of work is done through 3rd party web sites,
• our few server services (AD, IIS, file share, and exchange) are currently being migrated to 365/Azure

So I cannot effectively use Get-GPResultantSetOfPolicy as that powershell command is only available on servers.

So given all that; if an internal or external auditor said to remote into a workstation and prove that the actual settings/requirements are currently what they are supposed to be; how would I do it?

Answer 1

Hi,

It seems you will have to convince with actual reports and output that the applied settings are indeed covered in the GPOs and as per the requirement, process should be to apply the GPOs to a test device and a test user and carry out the testing of each settings such as Screen Saver, Deskto Background, Password Policies etc.

With test user account you can extract the User GPOs - gpresult /r /scope:user
On the Test device you can extract the Device GPOs - gpresult /r /scope:computer
GPResult utility can generate an HTML report on the applied resulting policies, this report will contain detailed information about all system settings that are set by Group Policies - gpresult /h c:\reports.html
For specific account or test account - gpresult /r /user:domain\username

Combine all the reports and you should be able to present the actual settings applied and from the GPO Console export the policy reports this should be sufficient.

==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hello

Thank you for your question and reaching out. I can understand you are having query related to GPO settings validation.

1. Open GPO MMC on Domain Controller.
2. Right click on OU -> click on Group Policy Update - > This will push GPO update to all Computer or Users who are part of this OU.

---------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--

Answer 3

There is a very nice product called GYTPOL which does GPO and Intune validation and remediation even for remote devices and non-domain connected workstations and servers. gytpol.com