RE: Find policies applied to an AD computer

["Devin Rambo" <drambo () vediorps com>]

Before you do anything, I would strongly advise you to get schooled in Group
Policy and how it works. The ramifications of moving objects around can be
more serious than you realize at first, and there is a strong possibility of
unintended negative consequences if you don't understand what the result
will be from making changes or moving objects, especially if you didn't
design the Group Policy structure in the first place. Case in point: a while
back I made a hasty change to one of my own policies that I believed would
only affect my domain controllers. The following morning when I came to
work, I was deluged with phone calls from users who couldn't log in because
the Security logs had completely filled up overnight due to the policy
change. Whoops.

Here's what you want to do.

First, download the Group Policy Management Console from Microsoft:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-
9272-DD3CBFC81887&displaylang=en

Second, get yourself a good book on Group Policy which will help you get up
to speed on what it is, how it works, and how it affects your various
systems. I use the Microsoft Windows Group Policy Guide (ISBN
0-7356-2217-5), but there are a great number of books that have been written
on the topic. Amazon's customer reviews are always helpful in dividing the
wheat from the chaff when shopping for tech books. There are also a few
blogs out there that primarily discuss Group Policy; some of these are worth
checking out, especially gpoguy.com.

Third, start researching how Group Policy has been implemented in your
domain(s). Look at each of the various GPOs that have been created, study
what containers they apply to, figure out what each of them does, how, and
why. As has been pointed out here prior, the RSOP tool is a terrific
resource, since it will tell you exactly what policies are being applied to
a machine, what policies have "won" over others, etc.

Four, don't do ANYTHING until you have a very solid understanding of how
these are implemented. Whatever difficulties you're having now can easily be
compounded if you act without fully understanding the ramifications of the
changes you make.

Group policies are complex, but they're not rocket science. And fortunately
for you, they're well worth spending the time to learn about, because they
can be a huge help to admins who understand how to implement them. You just
need to proceed with care. Good luck.

Devin


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Dummy cerberus
Sent: Friday, August 24, 2007 2:36 PM
To: security-basics () securityfocus com
Subject: Re: Find policies applied to an AD computer

No, I have no experience at all with AD GPOs and so on...

I will try that command, and sorry for my lack of knowledge...

I need it because I'm facing a stablished AD structure, with several OU's
correspondieng to branch offices and so on...  I think (maybe I'm wrong,
would appreciate your advice) that , just like users, computers should be
included in the OU correponding to the branch office where they are
located(currently they aren't organized at all, but randomly distributed
across the AD tree9...

The problem is that I have no doc about where are the GPO currently
appliying to computers stored... and I thought that maybe I could find where
are located all GPOs that apply to a given computer, just to move them with
the computer to the OU corresponding to the branch office...

Best regards