none
Registry changes when a policy is applied

    Question

  • Hi there,

    I am trying to find out if there is any registry which changes when GPO is refreshed on a computer. In that way, i can just read that registry using any script to know when is the last time a policy was applied. 

    Pls suggest if there is any other way to find out if a computer has not refreshed the policies for 15 days. 

    Thursday, January 21, 2016 5:09 PM

Answers

  • Hi,
    If I understand correctly, lastLogonTimestamp attribute could be helpful to you.
    Administrators can use the lastLogontimeStamp attribute to determine if a user or computer account has recently logged onto the domain.
    Besides, I think you could use powershell script to finish you task easily.
    Here is an article which offered a script based on the similar issue, please take a look:
    Get Inactive Computer in Domain based on Last Logon Time Stamp
    https://gallery.technet.microsoft.com/scriptcenter/Get-Inactive-Computer-in-54feafde

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 22, 2016 1:47 AM
    Moderator

All replies

  • I am not sure if there is a setting which changes, group policy is applied multiple times each day and also when you start up the computer. Unless you change something within group policy, then nothing should change on the computer where the policy is applied.

    If you coudl explain why you are looking for this then perhaps we can suggest an alternate method?


    Thursday, January 21, 2016 5:24 PM
  • Thanks MM.

    Actually, the requirement is to find out all the computers who have not contacted AD for last 15-20 days. We have few users who work remotely and until they connect to VPN, their computers do not get the updated policies. I need to find out all those computers. 


    Thursday, January 21, 2016 5:57 PM
  • Hi,
    If I understand correctly, lastLogonTimestamp attribute could be helpful to you.
    Administrators can use the lastLogontimeStamp attribute to determine if a user or computer account has recently logged onto the domain.
    Besides, I think you could use powershell script to finish you task easily.
    Here is an article which offered a script based on the similar issue, please take a look:
    Get Inactive Computer in Domain based on Last Logon Time Stamp
    https://gallery.technet.microsoft.com/scriptcenter/Get-Inactive-Computer-in-54feafde

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 22, 2016 1:47 AM
    Moderator
  • Awesome. Thanks a lot Wendy. 

    I think that script will get me a good start. Now, i just need to modify if need any other info. 

    Friday, January 22, 2016 12:46 PM