How to generate a custom LGPO based on FDCC

  • Article

One of my customers requires additional security settings beyond the OMB-mandated Federal Desktop Core Configuration (FDCC) and I need to apply the settings as local policy during the MDT build process so that disconnected systems still get a baseline of policy.  So here's the process I used to generate the policy objects and then apply them to the build.

  1. Obtain the current version of Set_FDCC_LGPO.exe from FDCC Team Blog.
  2. Install a generic build of Windows Vista on a test workstation, and logon as the local Administrator.
  3. Copy Set_FDCC_LGPO.exe to C:\Windows\security.
  4. Run the following command (mind the wrap):
    start /wait C:\Windows\security\Set_FDCC_LGPO.exe /sec /log C:\Windows\security\logs\Set_FDCC_LGPO.log /error C:\Windows\security\logs\Set_FDCC_LGPO-error.log /boot
    The system will automaticlaly restart when the process completes (it's quick).
  5. Logon as renamed_admin with the same password as before.
  6. Copy GPOAccelerator to C:\Windows\security\GPOAccelerator.
  7. Elevate a command prompt and run the following command (mind the wrap):
    cscript "C:\Windows\security\GPOAccelerator\Security Group Policy Objects\GPOAccelerator.wsf" /ConfigSCE
  8. Run gpedit.msc.  Manually verify all current FDCC settings and apply all custom settings.
  9. Right-click Computer Configuration\Windows Settings\Security Settings and select Export Policy.  Save as C:\Windows\security\templates\Local_Policy_20080228.inf.
  10. Run the following commands:
    mkdir C:\Windows\security\LGPO
    robocopy C:\Windows\System32\GroupPolicy C:\Windows\security\LGPO *.* /s /e
    attrib LGPO -h
  11. Copy CustomApplyLGPO-v3.cmd (see attached, rename) and CustomSetAuditPolicy-v2.cmd to \\mdtsrv\Distribution\Scripts.
  12. Copy LGPO and templates folders from C:\Windows\security to \\mdtsrv\Distribution\$OEM$\$$\security.
  13. Add the following to the appropriate task sequence:

Type: Run Command Line
Name: Custom Set Audit Policy
Command Line: cmd /c "%SCRIPTROOT%\CustomSetAuditPolicy-v2.cmd" > C:\Windows\security\logs\CustomSetAuditPolicy.log 2>&1

Type: Run Command Line
Name: Custom Apply LGPO
Command Line: cmd /c "%SCRIPTROOT%\CustomApplyLGPO-v3.cmd > C:\Windows\security\logs\CustomApplyLGPO.log 2>&1

 

If anyone can think of an easier/faster way to do any of the above, I welcome your comments.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use .

CustomApplyLGPO-v3.txt