Get GPOs using LDAP

[steven.rojas]

Hi, is there a way to get all GPO information (attributes, delegates,
links and settings) using LDAP? Currently I'm trying to implement a
GPO browser in C++ using ADSI and I'm getting the GPO list and GPO
attributes but I don't know how to get the delegates, settings and
links. LDAP queries and filters would be useful.

 

[Florian Frommherz [MVP]]

Howdie!

Hi, is there a way to get all GPO information (attributes, delegates,
links and settings) using LDAP? Currently I'm trying to implement a
GPO browser in C++ using ADSI and I'm getting the GPO list and GPO
attributes but I don't know how to get the delegates, settings and
links. LDAP queries and filters would be useful.

For the delegates, I actually have no clue what you mean by writing
that. Maybe you could get my light to shine on this. For the links, I'm
afraid but you'll have to enumerate all the OUs in the domain, as the
links to the GPOs are stored there in the gpLink attribute. It's a
concatenated list of the DNs of policies.

Where the settings are stored depends on what policy you have.
"Administrative Template" policies have a Registry.POL file in
\\{server}\sysvol\{domain.local}\Policies\{Policy GUID}\{Machine|User}
where the settings for the registry are stored. Other Client Side
Extensions use different mechanisms to provide the settings a clients
needs to download.

cheers,

Florian

 

[steven.rojas]

Hi Florian, thanks for your response. What I need is get ALL
information for the GPOs in a Domain Controller.

By example, the GPO ID of "Default Domain Policy" is
{31B2F340-016D-11D2-945F-00C04FB984F9}, so giving the ID I want get
all the GPO information that we can see in GPMC console:

* Attributes: (display name, path, owner, user and computer version,
etc.)
* Links: Where the GPO is linked (OUs and/or Domain)
* Security filtering and WMI filtering
* Delegation: Groups and Users that have specified permitions for the
GPO. By example:
* Domain Admins (permitions for Read and Edit)
* SYSTEM (permition for Read and Delete)
* Settings: Get all the settings and their values that are set for the
GPO (settings, path and value), by example:
* Setting: "Maximum password age"
* Path: "Computer Configuration\Windows Settings\Security Settings
\Account Policies\Password Policy\"
* Value: "42 days"

I'm using ADSI in C++ so any example even in Visual Basic Script or
LDAP queries are usefull. Thanks

Steven

 

[Florian Frommherz [MVP]]

Steven,

By example, the GPO ID of "Default Domain Policy" is
{31B2F340-016D-11D2-945F-00C04FB984F9}, so giving the ID I want get
all the GPO information that we can see in GPMC console:

* Attributes: (display name, path, owner, user and computer version,
etc.)
* Links: Where the GPO is linked (OUs and/or Domain)
* Security filtering and WMI filtering
* Delegation: Groups and Users that have specified permitions for the
[...]
I'm using ADSI in C++ so any example even in Visual Basic Script or
LDAP queries are usefull. Thanks

I'm not sure how far you got by now, but having a look at the GPMC
scripts (they're in the "scripting"-folder, I think) might give you a
further insight.

Keep in mind that some of the information (like Group Policy links,
settings withing administrative templates,...) may not be stored
directly with the policy in the directory store rather than the SYSVOL
or the OU they are linked to.

cheers,

Florian

 

[steven.rojas]

Steven,

By example, the GPO ID of "Default Domain Policy" is
{31B2F340-016D-11D2-945F-00C04FB984F9}, so giving the ID I want get
all the GPO information that we can see in GPMC console:

* Attributes: (display name, path, owner, user and computer version,
etc.)
* Links: Where the GPO is linked (OUs and/or Domain)
* Security filtering and WMI filtering
* Delegation: Groups and Users that have specified permitions for the
[...]
I'm using ADSI in C++ so any example even in Visual Basic Script or
LDAP queries are usefull. Thanks

I'm not sure how far you got by now, but having a look at the GPMC
scripts (they're in the "scripting"-folder, I think) might give you a
further insight.

Keep in mind that some of the information (like Group Policy links,
settings withing administrative templates,...) may not be stored
directly with the policy in the directory store rather than the SYSVOL
or the OU they are linked to.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog:http://www.frickelsoft.net/blog.
Use a newsreader!http://www.frickelsoft.net/news.html

Yes, is possible retrieve the information using GPMC SDK (using
scripting and C++) but I'm trying avoid it. My goal is get all the
information using LDAP and ADSI. I read somewhere that we can get all
AD information using LDAP.

I'm getting the GPO attributes right know and also a OU information,
so I'm able to get the GPO links searching in the OUs list as you
suggested me. The GPO list and OU list are retrieved using
IDirectorySearch::ExecuteSearch() method with filters like
(&(objectClass=groupPolicyContainer)). Also I'm using ADsGetObject()
API in order to get AD objects (like OU) executing LDAP queries like
"LDAP://OU=Production"

What I'm looking for is similar filters or LDAP queries that allow me
get security filters, WMI filters, delegations and settings for a
specific GPO (using ADSI)

Regards,
Steven