You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.

04: How can I use Group Policy Compliance Reporter with multiple domains?

First – make sure you have GPCR implemented in the primary domain correctly.

Group Policy Compliance Reporter Implementation

  1. Make sure you have the latest download of Compliance Reporter, which you should have if you recently downloaded the BITS from the portal
  2. Pick a server where you want to run Compliance Reporter
  3. Work through this video to install Compliance Reporter
  4. Work through this video to setup Compliance Reporter and for machines to report in (this is the Server version)

From within the videos above, here is a summary of some important steps:

Preparatory Steps (before installing GPCR)

  1. Determine the AD Computer security group to be used
    1. Used for 2 Purposes
      1. for Server to Accept RSOP uploads
      2. for ILT on the Scheduled Task GPO (optional)
  2. Confirm that a shortname will work for Auditor path, recommend FQDN
    1. Ie. Are you using DNS Suffix Search Lists in the primary domain and in other domains such that a shortname will resolve into its FQDN correctly
    2. In most cases, its safer to use the FQDN of the GPCR server
  3. Will we have access to Create GPO from Server or do we need to export
    1. Ie. Will the account that the admin/engineer is logged into while using GPCR have access/permissions to create GPO’s
  4. Recommended to Import ADMX files (for troubleshooting, further configuration, logging, etc.)
    1. We have some PolicyPak ADMX templates and among those are several settings specific to GPCR that allows for enabling additional logging and managing when and how often RSOP checkins occur
    2. Recommend to have those imported to the domain Central Store of all domains to be available if needed
  5. Understand pros and cons of doing all computers or just selections from certain sites that are representative of the site and its population (and how the AD group plays into that)
    1. In domains that have a few hundred to a low thousand and are all well connected in large locations, it is often ok to deploy the scheduled task GPO to all machines for all to check in
    2. However for larger domains, and also when remote sites might be less well connected, having lower bandwidth, its recommended to identify segments of computers to be “representatives” of their population. That is, choose some number at a location to receive the GPO and be the representatives of what machines at that location are receiving.
      1. This cuts down on bandwidth used and load on the server
    3. The AD group created earlier can be used, by only having those computers desired as members.

Overall Server Setup Steps (detailed in videos links above)

  1. Install Server piece
    1. This is a Windows Service
  2. Install Server Console
    1. Often on same server as server service, but could be another server as well
  3. Configure Server settings via Console
    1. Will need the AD Group created for this step
    2. Will need the server name (shortname or FQDN) for this step
    3. Will need to be able to create a GPO or export and import later for this step

Enabling Other Domains to connect to GPCR

Now that you have the server up and running in the primary domain, the following steps are needed in each additional domain.

  1. Copy the GPO you created (during step 3 above configuring server) from Domain 1 to Domain 2 and deploy it there
    1. Do a GPO Backup from Domain 1
    2. Copy the Backup folder to a server on Domain 2
    3. Restore GPO to Domain 2
    4. This article describes the general process of backing up and restoring GPO’s, specifically in the “About Backup and Import (between domains)” section -
  2. Create an AD group with the SAME NAME as the AD Group in Domain 1
  3. Add computers in Domain 2 to the new Domain 2 AD Group

NOTE – Why a Group in each Domain is Required

  • Currently GPCR cannot innumerate members of a Domain Local group that are not in the same domain. Even with a two way forest trust in place
  • Therefore the workaround as noted above is to create the corresponding local domain group of the same name as the primary GPCR domain

  • 864
  • 27-Mar-2020