7.5 Analyzing Multi-Domain GPOs against a Master GPO

Maintaining GPO consistency in your enterprise is key in keeping your business functioning effectively. The Enterprise Consistency Check report lets you compare GPOs from multiple domains against a master GPO. This report is useful in determining whether a GPO deployed throughout your Active Directory is still consistent with the original GPO. For example, you may be enforcing the same password policy throughout the enterprise with the deployment of a password policy GPO to every domain in your Active Directory. Over time, these copies of the original GPO may no longer match the original policy. The Enterprise Consistency Check report identifies any GPOs that are no longer consistent with the original GPO. For more information about generating the Enterprise Consistency Check report, see Section 7.5.1, Running the Enterprise Consistency Check Report with the Wizard.

Used in conjunction with GPO synchronization, the Enterprise Consistency Check report helps you maintain consistency with your GPOs in Active Directory. By comparing the master GPOs in Active Directory or the GP Repository with the controlled GPOs in the GP Repository, you can quickly identify any controlled GPOs that are no longer synchronized with their master GPOs. For more information about GPO synchronization, see Section 5.9, Synchronizing GPOs.

7.5.1 Running the Enterprise Consistency Check Report with the Wizard

You can run the Enterprise Consistency Check wizard to generate the Enterprise Consistency Check report if you have only a few GPOs to compare. If you have many GPOs to compare, consider running the report with the NqGpoCompare.exe command-line utility. For more information, see Section A.4.3, Generating the Enterprise Consistency Check Report Using Scripts.

In addition to generating the report, the Enterprise Consistency Check wizard creates or updates an .xml report configuration file that both the wizard and the NqGpoCompare.exe command-line utility require to create the Enterprise Consistency Check report.

To create the Enterprise Consistency Check report using the Enterprise Consistency Check wizard:

  1. Log on to a GPA Console computer with an account that has domain administrator permissions.

  2. Start the GPA Console in the Group Policy Administrator program group.

  3. In the left pane, click GP Analysis.

  4. In the right pane, click Run Enterprise Consistency Check.

    NOTE:The GPA console disables the Run Enterprise Consistency Check option for GPOs in untrusted domains in the GP Repository. However, you can generate these reports from a GPA console installed on a computer in the untrusted domain.

  5. Read the introduction text, and then click Next.

  6. Choose whether to compare GPOs from the GP Repository or Active Directory or load an existing configuration file. If this is the first time you are running the wizard, choose one of the first two options.

    NOTE:If you compare GPOs from your Active Directory, you can only select GPOs from trusted domains. If you compare GPOs from the GP Repository, you can select GPOs from both trusted and untrusted domains.

  7. Click Next.

  8. If you chose to compare GPOs in the GP Repository, specify the credentials to connect to the GP Repository, and then click OK.

  9. Click Browse to select a master domain in the Master Domain (DNS) field. The domain you select should contain the master GPOs you want to use as the basis for comparison.

  10. Click Add to select the domain or domains that contain the GPOs you want to compare to the master GPOs, and then click Next.

  11. Click Add to open the Repository GPO Browser window.

  12. Select the GPOs you want to use as master GPOs, and then click OK. By default, the wizard compares the master GPO to any GPOs with the same name as the master GPO in all comparison domains.

  13. If you want to compare a master GPO with only a subset of the comparison domains, perform the following steps:

    1. Select a master GPO, and then click Edit.

    2. Clear the check box next to any domains you want to exclude from the comparison, and then click OK.

  14. If you cannot compare a master GPO to another GPO using the GPO name, perform the following steps:

    1. Select a master GPO, and then click Edit.

    2. Select the domain containing the comparison GPO you cannot compare by name, and then click Edit.

    3. Expand GP Repository to the location of the GPO you want to compare to the master GPO.

    4. Click the comparison GPO, and then click OK. The configuration file now uses the GUID of the comparison GPO instead of the name.

  15. If you want to compare the GP Repository and Active Directory versions of each master GPO, select this option at the bottom of the window. This comparison helps to prevent errors when synchronizing any comparison GPOs to master GPOs.

  16. When you have added and mapped all the GPOs you want to compare, click Next.

  17. Specify or browse to the location and file name of the report configuration file you want to create or update. You need to specify the file extension asĀ .xml.

  18. Select the Run a report at the completion of this wizard check box.

  19. Specify or browse to the location and file name of the report file you want to create. You must specify the file extension as .htm or .html.

  20. Click Next.

  21. Review the Summary window to ensure you have properly specified the master GPO and comparison GPOs, and then click Finish.

  22. If you want to display the Enterprise Consistency Check, navigate to the folder where you stored the HTML file and open the file in a web browser.