I know there are several built-in tools (or tools available for download from Microsoft) that you can use to assess and modify the security policy applied to a system. A few I'm familiar with, to one degree or another, are:
- secpol.msc
- rsop.msc
- gpedit.msc
However, I've found that the results displayed by each of these will at times differ. secpol.msc may reflect a local policy, while gpedit or rsop.msc say that a GPO setting should be in place.
What I'd like to see is a comparison between the local policy, applied GPO(s), and the policy that is actually in effect on the system. At the very least, I need something that shows me the last of those - regardless of what policies are set locally or being pushed to the system, I need to know what the system is actually doing.
Is there a way I can get this comparison with one of the above tools, or another tool that's built-in or available from Microsoft? Where should I turn for an authoritative answer as to what policy the system is actually adhering to?
This is for systems running Windows XP, 2003, 7, and 2008.
gpmc.mschas a good view of this information in its "Group Policy Results" tool.The report displays information about which GPOs were applied in which order. Additionally, in the "Settings" tab of the report, it shows each applied setting on the system, as well as a "Winning GPO" column that shows which GPO (be it the local policy or one originating from the domain) that took precedence in applying that setting.
gpmc.msccomes in the Admin Tools pack for Vista, 2008, and newer. It is also available for Windows XP, here: https://www.microsoft.com/download/en/details.aspx?id=21895Try the security and Compliance manager tool. You can export the current effective config (using localgpo.msi) as a set and compare it to either what you want for policy or what you have in GPO's. If you want to just look at a server the group policy management console will tell you what got applied and from where (and generate reports)