https://github.com/osquery/osquery logo
Join Slack
Powered by
I saw that this question was asked before but I di...
# windows
h
I saw that this question was asked before but I did not see an answer so I apologize if this is repetitive. Is there any way to use osquery to get visibility into the Group Policy configurations deployed on a system?
s
Are they in the registry?
g
Most GPO settings are in the registry
Some are very easy to query for and obvious, others are a bit of a PITA because they aren't boolean or simple values but bitmasks
for example, the password policy if I remember correctly
that being said if you have some specific examples I can probably help you out
h
Thanks for the responses. I would be interested in the password information and also to ensure that screen locks after a specified time of inactivity are configured.
@Guillaume Any example of a GPO would be great!
g
OK sure, so since most GPO settings are in the registry, you can usually figure out what the keys and values are by opening ADM files
Then, osquery has a "registry" table that lets you select all of it, including wildcards
s
The uptycs blog post had an example of this.
g
haha I was about to post it, I wrote it 🙂
s
I assumed 😛
g
The thing that makes it a bit of a pain sometimes is you have to be careful about 2 things - some policies are per computer, easy enough, and some are per user, a bit harder (use wildcards and map back to the users table). The second thing is, the simple examples are good for understanding how it works, but in reality you should also query for the existence of a key and fail on the lack of it.
ex: you are checking registry key X for value 1 by selecting it where "=1" - well, it could be set to 0, or it could also not exist
2 Views
Open in Slack
PreviousNext
Powered by