none
Confirmation of GP deployment

    Question

  • Hi All,

    Just a simple a query, after pushing GPO to an OU, is there query or tool to find out to how many computers or users it has been applied to.

    Thanks

    Aamir


    NA

    Thursday, January 21, 2016 1:19 PM

Answers

  • > applied eg i have 10k computer in the OU what i pushed GP, now to how
    > many computer its being applied . how to confirm
     
    If you have that lot of computers, you sure have a management solution.
    GP processing is recorded in the eventlog
    Microsoft-Windows-GroupPolicy/Operational, and there are specific events
    that record all GPOs that apply/do not apply to the computer and the user.
     
     
    Thursday, January 21, 2016 3:15 PM
  • > Martin are those events not logged on the clients themselves so you
    > would still need a method of connecting to each machine to check if the
    > GPO has applied?
     
    Yes, but there are a tons of solutions how to collect event log entries
    - SCOM can do, Event viewer itself can, powershell and and and...
     
    Friday, January 22, 2016 11:49 AM

All replies

  • Group policy itself has virtually no reporting capabilities, however in your situation, wouldn't you just count the number of computers in the given OU? In ADUC, you can right click on an ou and the Find feature will count the objects in the bottom of the window.


    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Thursday, January 21, 2016 2:04 PM
  • Group Policy is refreshed several times a day and also on computer startup. The policy would have been applied to all computers within 12 hours of your configuring it under normal cericumstances.

    The Tools within Windows, like the Resultant Set of Policy tool, will tell you what should have been applied.

    Ultimately If you want to find out if it has actually been applied then I would pick a handful of computers from within that OU and manually check the settings to ensure they rolled out correctly.

    Thursday, January 21, 2016 2:42 PM
  • thanks, however how can i confirm if to how many has the GPO has being applied eg i have 10k computer in the OU what i pushed GP, now to how many computer its being applied . how to confirm

    Thanks


    NA


    Thursday, January 21, 2016 2:55 PM
  • thanks, however how can i confirm if to how many has the GPO has being applied eg i have 10k computer in the OU what i pushed GP, now to how many computer its being applied . how to confirm

    Thanks


    I am not aware of anything that will tell you this, there is nothing within Windows that can confirm this for you. If you really needed to know then you will need to create a manual method of checking.

    Ultimately all group policy does is provide a graphical easy to use method of editing the registry on a set of computers. You could write a script that connects to each of the computers in the OU and checks to see if the setting you applied has changed the registry key you wanted changing. Yes this method is not ideal, but I cannot see how you would otherwise know.

    Thursday, January 21, 2016 3:14 PM
  • > applied eg i have 10k computer in the OU what i pushed GP, now to how
    > many computer its being applied . how to confirm
     
    If you have that lot of computers, you sure have a management solution.
    GP processing is recorded in the eventlog
    Microsoft-Windows-GroupPolicy/Operational, and there are specific events
    that record all GPOs that apply/do not apply to the computer and the user.
     
     
    Thursday, January 21, 2016 3:15 PM
  • Martin are those events not logged on the clients themselves so you would still need a method of connecting to each machine to check if the GPO has applied?

    I believe the user wants a method where he could check all this from a single location / console.

    If you have a method of remotely checking for Event Log entries then looking for the events specified in the link above would provide that.

    Thursday, January 21, 2016 3:44 PM
  • Ok Martin,

    So do we have to check this in client machine event viewer? and isoloate the event id for GP applied and denied

    Thanks


    NA

    Thursday, January 21, 2016 4:10 PM
  • I think you can use the gpinventory tool and then run it against an OU. It will show which all computers got the policy. I find it very useful.

    https://www.microsoft.com/en-us/download/details.aspx?id=14126 


    Thursday, January 21, 2016 4:58 PM
  • > Martin are those events not logged on the clients themselves so you
    > would still need a method of connecting to each machine to check if the
    > GPO has applied?
     
    Yes, but there are a tons of solutions how to collect event log entries
    - SCOM can do, Event viewer itself can, powershell and and and...
     
    Friday, January 22, 2016 11:49 AM