5 Replies Latest reply on Jan 16, 2008 8:50 AM by Jonathan Mikula

    GPO Sensors/Discovery

    Anthony Bove

      Has anyone created sensors, scripts (vbs, wql) or otherwise to discover and evaluate GPOs beyond just those located in 'Security Settings'? I would like to run compliance checks on the following GPOs from User Configuration\Administrative Templates\Control Panel\Display:


      Screen Saver

      Password protect the screen saver

      Screen Saver timeout


      Regards, Tony

        • 1. Re: GPO Sensors/Discovery



          We did not do that type of audit against the GPO's of the server but we write a template that audits the screen saver objects.


          These three Registry keys are were a local user account will pull its values for screen saver:


          HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut

          HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaverIsSecure

          HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveActive


          So we added them as parts to our templates and then created the following values:


          Registry Value HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut Must Exist AND ((Data Type = REG_SZ) AND (Integer Value <= 900))


          Registry Value HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveActive Must Exist AND ((Data Type = REG_SZ) AND (Integer Value = 1))


          Registry Value HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaverIsSecure Must Exist AND ((Data Type = REG_SZ) AND (Integer Value = 1))



          • 2. Re: GPO Sensors/Discovery

            Will that work? I'm not totally sure this type of audit makes sense to do with BladeLogic as these settings are user based rather than machine based. Auditing registry keys for user based policy settings on a machine will not give relevant information, as the effective policy is dependent on what user is logged into that machine. The settings have to be verified in the GPO policies set on the Domain Controller.

            • 3. Re: GPO Sensors/Discovery

              These registry settings are user based for any user that logs in. So if a user has not logged into the server the default settings will be pulled from this location. So if user A logs in and created its own Screen saver timeout. They will always get there custom screen saver timeout. But any new user will pull what the server has in its default location, which is located here. So if user B has never logged into the server before it will get screen saver settings from this location.

              • 4. Re: GPO Sensors/Discovery

                Valid point. So it does help in those circumstances, but the security team (or ops config team or whomever) needs to be aware that the user can change this setting without further GP customization. Thus, a BL audit or compliance job that reports screen savers come on after 5 minutes (by looking at those registry values) need to understand that it might not necessarily be the case throughout the audited environment.

                • 5. Re: GPO Sensors/Discovery

                  You are correct in your statements. But atleast an auditor will have evidence that any new user that logs into the server will automatically get the default settings that the server will provide.