I've got a GPO that is configured to change the local builtin Administrator's password on certain machines. I need to find what machines have applied this GPO to themselves. I've written a script that tries the password on several systems and some have that password and some dont. I've got a lot of machines to go through and attempting the password on all of them wont work for my boss.
Is there a way, given only access to the \DC1\SYSVOL\domain.com\Policies… files that I can determine:
- What exactly is the local username that the policy was applied to?
- What machine contains this local user?
If I cant determine that just with the SYSVOL share access, what level of access would I need to be able to get the required info?
My boss is breathing down my neck for this and I feel its out of my league.
Thanks for any input or help you can provide-
Best Answer
You would have to comb the event logs of every machine to see if it has or has not applied the Group Policy. Clients don't notify domain controllers as to whether they have or have not applied a GPO.
In the Group Policy Operational event log on the client, there will be an event ID 5312 that contains a list of all applicable GPOs that are about to be applied to the computer at that time. Your special GPO should be on that list. That event shows up every time a Group Policy refresh happens.
If you want to find GPOs that have local account information in them, do a search for Groups.xml files in your policies. Like this:
Also, you should stop doing this. Storing local admin passwords in a GPO is EXTREMELY dangerous. They are stored with reversible encryption.