Re: AD Policy audit tool for Windows 2000

On 2k and 2k3, you should be able to use the SCA Tool (Security
Configuration and Administration - it's an MMC snap-in) to compare
your existing policy to a defined baseline. It allows you to load up
any of the pre-existing AD templates from MS or another template
vendor (or your own) and delta it against the config on the box. It's
very effective and fast - blue checkmark means the setting is the
same, red x means it's different. I use it all the time to see where a
client's system differs from the default group policy config.


On 5/25/06, Koolk3 <koolk3@xxxxxxxxx> wrote:
Just to clarify on this a bit more. I need to know what settings that
are applied. I don't need a report showing me the status of every
policy. Just the ones that have been changed from their default.


On 5/25/06, Koolk3 <koolk3@xxxxxxxxx> wrote:
> Thanks everyone for your responses. Here is an update on what I have
> found so far. I would also like to have your feedback on any of the
> tools listed here if you have any experience with them.
> 1) GPOVault (free) from DesktopStandard: This can compare settings
> between 2 GPO rsops. Anyone has any experience using this? This has to
> be used in conjuction with GPMC.
> 2) GPMC from Microsoft: This tool may have the functionationality I am
> looking for interms of finding the changed GPOs but I am not so sure.
> 3) GPInventory from Microsoft: I am not sure about this either.
> 4) Secedit from Microsoft: Does this run on Windows 2000?
> If you have any experience with these tools can you please provide me
> some feedback? I need to know which one will be the best choice to
> figure out the GPO settings changed after a default installation.
> Thanks.
> Koolk3
> On 5/24/06, Koolk3 <koolk3@xxxxxxxxx> wrote:
> > Hello list,
> >
> > Basically, I am trying to find the policies that has been changed by
> > active directory after a default Windows 2000 installation. The
> > policies were modifed without any documenattion and now it is a
> > problem.
> >
> > I am looking for a tool that can help me audit Active Directory
> > policies that has been applied to Windows 2000 workstations. Ideally
> > the tool should know the default policy (from original win 2000
> > install) and then give me a report on what has changed.
> >
> > Most tools that does this are for Windows XP and I need something for
> > Windows 2000.
> >
> > Any suggestions?
> >
> > Sincerely,
> > --
> > KoolK3
> >
> --
> KoolK3


Rob McComber, GSEC, MCSE
Product Security Specialist, Telvent