https://github.com/osquery/osquery logo
Powered by
#windows
Title
# windows
h

Harrison

10/23/2019, 3:56 PM
I saw that this question was asked before but I did not see an answer so I apologize if this is repetitive. Is there any way to use osquery to get visibility into the Group Policy configurations deployed on a system?
s

seph

10/23/2019, 6:40 PM
Are they in the registry?
g

Guillaume

10/23/2019, 7:02 PM
Most GPO settings are in the registry
Some are very easy to query for and obvious, others are a bit of a PITA because they aren't boolean or simple values but bitmasks
for example, the password policy if I remember correctly
that being said if you have some specific examples I can probably help you out
h

Harrison

10/23/2019, 7:05 PM
Thanks for the responses. I would be interested in the password information and also to ensure that screen locks after a specified time of inactivity are configured.
@Guillaume Any example of a GPO would be great!
g

Guillaume

10/24/2019, 1:39 PM
OK sure, so since most GPO settings are in the registry, you can usually figure out what the keys and values are by opening ADM files
Then, osquery has a "registry" table that lets you select all of it, including wildcards
s

seph

10/24/2019, 1:41 PM
The uptycs blog post had an example of this.
g

Guillaume

10/24/2019, 1:42 PM
haha I was about to post it, I wrote it 🙂
s

seph

10/24/2019, 1:42 PM
I assumed 😛
g

Guillaume

10/24/2019, 1:43 PM
The thing that makes it a bit of a pain sometimes is you have to be careful about 2 things - some policies are per computer, easy enough, and some are per user, a bit harder (use wildcards and map back to the users table). The second thing is, the simple examples are good for understanding how it works, but in reality you should also query for the existence of a key and fail on the lack of it.
ex: you are checking registry key X for value 1 by selecting it where "=1" - well, it could be set to 0, or it could also not exist
2 Views
Powered by