I already know what you are thinking…however, that does not eliminate the fact that dashboard reports are favored by CIOs, IT Directors and the like. Better have that score up to 100%!

StartupNotification

I wrote an application, StartupNotification, that helps with maintaining good scores. Keep in mind that this application only provides a means for notifying the appropriate personnel when a workstation is brought on the network that could potentially “damage”. Second, for this application to be effective in notifying, it must be added as a domain GPO or local policy startup script.

How It Works

Ran from a Windows computer startup script, StartupNotification checks a SQL database for previous records associated with the name of the workstation running StartupNotification. If no records exist, it reports an “Untracked” workstation; if record(s) exist and the latest record is (x) days old, it reports a “Tracked” workstation. After checking the status of the workstation, StartupNotification will create a new record with the workstation name and date of transaction, which will be used at the next StartupNotification check in.

The Application

Download source code (written in Visual Studio 2008).

If you are interested in this application working in your environment, then there are a few things your must do…

1. Create a SQL table with the necessary fields.
2. Update the application code with your connection string for the database.
3. Update the email notification messages.
4. Update the SMTP “from” email address.

This is simple, I’ll help you along the way if you follow the steps below carefully:

SQL Database and Table

I use Microsoft SQL Server 2005; however, this could be easily ported to MySQL, another SQL database, or even a Microsoft Access database. I created a separate database named STARTUPNOTIFICATION for the purpose of holding the table. The table layout is simple, as shown below:

createscript.sql

You must have a SQL user account that can SELECT and INSERT to this table. It is recommended that this account be a separate account and not the “sa” account or some other powerful, generic account.

Update Connection String

Locate the “mySQL.ConnectionString” property in the code, as shown the screen shot below, and update the string to match your server and database.

Update Email Notification Messages

Locate the “sendEmail” function calls, as shown in the screen shot below, and update the strings to display the text you want to be included in the email. As an example, I have another application I wrote that grabs information on the workstation and user at sign-in; I place a link to display who has signed in to that workstation in the email for quick identification of the workstation location.

Update SMTP “From” Address

The final line that needs your attention is the email address that is used as the sender for this application. In most cases you should use a “do not reply” type email address. Locate the sendEmail function near the bottom of the code and modify the msg.From property line, as shown the screen shot below.

That is all, compile and set to run as in a startup script. For GPO startup scripts, the application could reside in the NETLOGON path as permissions have not been granted by a signed in user.

Aaron Gilbert

This tool allows you to manage your network enterprise easier from one location. In addition to its powerful management features it also gives the ability to backup/restore and import/export of GPOs, generate reports on Resultant Set of Policy (RSoP) or GPO settings, and Group Policy Modeling. An additional feature that the GPMC provides is scripting support. You can create scripts in VBScript or Jscript to perform quite a few different tasks, even creating and deleting GPOs.

Requirements

Although the snap-in allows management of Group Policies in a Windows Server 2000 or 2003 Active Directory environment, the computer that runs the GPMC snap-in must be either Windows Server 2003 or Windows XP Professional with Service Pack 1 (plus an additional post-SP1 hotfix), and most have Microsoft .NET Framework installed.

Installing the GPMC snap-in

Click http://www.microsoft.com/windowsserver2003/gpmc/default.mspx and follow the links to download and install the GPMC snap-in.

The install package creates a shortcut for the Group Policy Management Console in the Administrative Tools folder. You can also run MMC and add the snap-in manually. For those not familiar with the Microsoft Management Console (MMC) and adding snap-ins, view this page.

Using the GPMC snap-in

The screen is split into 2 panes, assuming you are authenticated to your domain you should see in the left pane a hierarchal list of your Active Directory structure. If you have any Organizational Units (OU) they should be listed along with some collections that are not OUs. “Group Policy Objects” for example which contains all of the Group Policy Objects (GPO) created in your domain. This can be a nice feature for cleaning up unnecessary GPOs or verifying which OUs a GPO is linked to.

In the right pane you will see specifics for whatever object you have selected on the left pane. For example, if you click on an OU in the left pane then the right pane will contain multiple tabs that contain information pertaining to that OU. The first tab is “Linked Group Policy Objects” which shows a list of what GPOs are assigned directly to this OU, the second tab is “Group Policy Inheritance” which shows a list of GPOs that have been inherited from OUs, domains, or sites below, and the third tab “Delegation” shows which users or groups have what permissions for this OU.

Let’s go over the important features of the GPMC.

GPO Settings Reporting

The GPMC allows you to quickly generate a report that details all of the configured settings in a GPO. No more browsing through a GPO with the Group Policy Editor trying to figure out which settings your configured.

Creating the report is very easy; all you need to do is click on a GPO object in the hierarchal list in the left pane of the GPMC tool, then click on the Settings tab on the right pane. You will now see a small link that states “show all”, click this link. Now you will see a screen similar to the one below that lists just the configured items.

This screen gives you the ability to either save to a file or print for future reference. Very handy.

Backing Up and Restoring GPOs

You can back up and restore GPOs easily with the GPMC snap-in. This is beneficial if you want to quickly restore previous GPOs. By backing up GPOs before you modify them you can create a manual versioning of GPOs.

In the left pane right click on the “Group Policy Objects” collection and select “Back Up All”.

It will display a backup status screen and begin backing up right away. If your Primary Domain Controller (PDC) server is not local and depending on how many GPOs you have this process may take a few minutes.

Restoring GPOs is just as easy as backing them up. You can restore backed up GPOs from the Manage Backups window. The Manage Backups window is access from within the GPMC by right clicking on the “Group Policy Objects” container and then clicking on “Manage Backups…”. If you have backed up all of your GPOs into the same location this should show in the list. In addition the Manage Backups list has versioning built in and gives you the option to only show the latest version of a GPO. The Time Stamp field shows the date the GPO was backed up.

Click on Restore to restore a GPO. The View Settings button will allow you to see which settings are within a specific GPO.

Group Policy Modeling

Now we move on to the best feature that the Group Policy Management Console snap-in has to offer, Group Policy Modeling. Basically you pick an OU container that holds users and an OU container that holds computers and then the wizard essentially runs a figurative resultant set of policy of which policies would be applied.

To create a new model you will need to right click on the “Group Policy Modeling” collection from the hierarchal list in the left pane, and then click on Group Policy Modeling Wizard. Once you have created a model it will be saved automatically as an item in the “Group Policy Modeling” collection for future use.

Once you have created a model with the wizard you will have a nice report similar to the one shown below. If you click on the “show all” link it will expand all options quickly.

Even more beneficial is the “Settings” tab which will display all settings from the GPOs associated. This would most likely be a good report to provide auditors who need verification or documentation on which settings are taking effect.

Corporate Application

For those I.T. administrators that work for a publicly traded or otherwise restricted company this tool provides enough reporting capabilities to document how your network is configured. I am referring to companies that must abide to some form of compliance auditors, like those per Sarbanes-Oxley (SOX).

Obviously what is required of you will be determined by your auditors, I would still have to say the information reported from this tool should be good enough.

Conclusion

This tool is a must have for I.T. administrators in a Windows Server 2000 or 2003 Active Directory environment. Download it and begin using today. If you are still creating Group Policy Objects from within the Active Directory Users and Computers snap-in you might want to consider checking Group Policy Management Console out, you may be quite surprised.

References

Group Policy Management Console :: http://www.microsoft.com/windowsserver2003/gpmc/default.mspx