Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Writing a script that checks for GPOs (read to understand what I am trying to do)

  • Filter
  • Time
  • Show
Clear All
new posts

  • Writing a script that checks for GPOs (read to understand what I am trying to do)

    Hi guys,

    I am writing a script that our remote support agents will use via Bomgar (remote tool).

    Some of our clients that use our products are home windows or workgroup computers. Some are domain machines and some of them that are domain machines have certain GP restrictions on internet explorer settings.

    Our products have specific IE settings and our agents go onboard and modify them. If they are restricted they ask for the admins/local techs to make the changes.

    I am writing a script that reads current settings of IE and writes the desired settings. This is fine on machinse that don't have GPO on some of these sttings, but if the GP are in effect it over rules the user settings (current user software etc... registry)

    Now.. what I want to do is to write a condition to check if the GPO exists.

    For example

    Internet Options>Advanced>Check for signature on downloaded programs

    This can be a yes or no. I know where the registry is for the local settings. But what about domain pushed GPO?

    If I could write a condition to check if it has something written in the registry for the policy I would be able to condition the script and say "GPO in effect, can't change" this would inform the agents that they can't change this particular setting. It also generates and audit trail log/final report which opens in the end.

  • #2
    A GPO will typically change the same registry key that a local policy does.


    • #3
      Whether changed by local policy or changed by domain-wide Group Policy, the reg keys altered are the same, for the same desired end result of control. While it is possible to set logging which tracks application of Group Policy at startup or logins, there's an easier way to inquire. You could run a 'gpresult' command and then look for a string in the result which is the name of the policy which has the settings in which you don't want users altering. But gpresult can take a bit of time.

      To approach it from a different direction completely, you could look for the group membership(s) or OU locations which defined how you deploy your policy in the first place? Checking the computer account or user account 'memberof' property is a single powershell command. The object's Distinguished Name would include the OU info. If the appropriate group or OU is found, the policy is assumed to be applied to that device/user combination. Obviously this assumes you're not having any issues where desired policy isn't being applied, but at least you'll know that what the expected results should be.

      An easier method of verifying the expected GP application might be checking the registry of the client PC to check for a specific reg key with the known IE policy object name. If you check this MS link (, it should shed some light. While it refers to the now-unsupported Windows 2000, that reg key still exists in Win7.

      Good hunting.
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **


      • #4
        Internet Explorer will look for a policy in the following order:
        • HKEY_LOCAL_MACHINE policy hive
        • HKEY_CURRENT_USER policy hive
        • HKEY_CURRENT_USER preference hive
        • HKEY_LOCAL_MACHINE preference hive
        It stops on the first hit and does not continue looking.

        Check also whether "Security_HKLM_only" DWORD value is present and has a value of 1, under
        HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows\CurrentVersion\Internet Settings\

        For the 'Check for signature on downloaded programs',

        User preference settings are stored here,
        \Software\Microsoft\Internet Explorer\Download\ >> CheckExeSignatures

        Machine GPO settings are stored here,
        ​ \Software\Policies\Microsoft\Internet Explorer\Download Criteria\ >> CheckExeSignatures

        Last edited by Rems; 28th February 2016, 20:33.

        This posting is provided "AS IS" with no warranties, and confers no rights.


        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts