This post authored by Joel Yoker, a Principal Consultant with Microsoft Federal...
As the February deadline approaches for the implementation of FDCC settings approaches, management of the FDCC Group Policy Objects (GPOs) is a common question Federal IT professionals (IT Pros) have today. FDCC GPO management spans a few areas, including settings review, initial import and linking, and ongoing import and linking. NIST and OMB have taken a very simple, systematic approach by providing exported GPOs with all of the FDCC settings included in them. This removes the need for Federal organizations to go through the previously cumbersome process of reading several hundred pages of settings and definitions and attempting to craft their own GPOs to contain these settings. This significantly reduces the time to implement and human error often associated with implementing any standards in Group Policy. This leaves many IT Pros with the question – How do I get these backed up GPOs into my organization’s Active Directory environment? First, let’s look at what we have.
Currently, when you download the quarterly zip file containing the GPOs (found at http://fdcc.nist.gov/download_fdcc.html), you will notice that there are three categories of FDCC GPOs:
1. Vista GPOs (found in the “Vista” folder)
2. XP GPOs (found in the “XP” folder)
3. Common GPOs (found in the “Both” folder)
Note that in the future as new Windows platforms are released or are deprecated, the platform choices will likely change. The Vista and XP GPOs contain platform specific settings in the following GPOs:
· FDCC <Quarter> <Year> <Platform> Security Settings – Contains low level operating system security settings including User Rights Assignment, local audit policy, security options, services configuration and system ACLs
· FDCC <Quarter> <Year> <Platform>-Specific Additional Settings - Contains additional platform settings such as error reporting
· FDCC <Quarter> <Year> <Platform> Firewall Settings – Contains Domain and standard profile settings for the Windows Firewall
The “Common” GPOs contains settings which apply to either platform in the following GPOs:
· FDCC <Quarter> <Year> IE7 Settings – Contains Internet Explorer settings, including zone information, URL Action settings, etc
· FDCC <Quarter> <Year> Additional Settings - Contains behavioral settings for users and computers
· FDCC <Quarter> <Year> Account Policy – Contains settings such as Password policy, Kerberos policy, etc.
The key concept here is that if you are running one platform within your organization, such as Windows Vista, you would need to import six (6) GPOs in total – The platform specific GPOs and the Common GPOs. If you are running both platforms, you would import all nine (9) GPOs. If you only deploy the platform specific settings, you are only deploying half of the FDCC GPO solution, so take care to understand which GPOs contain which settings for your organization.
Now that we have an understanding of the GPOs included in the FDCC releases, how do we get them into our environment? First, you need to have the Group Policy Management Console (GPMC) running. For Windows Server 2003, the SP1 version of GPMC can be found here: http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en. For Windows Vista RTM and Windows Server 2008, this toolset is included in the platform. Once GPMC is installed, the following simple steps must be followed to import the settings in your environment:
Step 1: Create a new empty GPO
Step 2: Run the GPMC “Import Settings Wizard” by right-clicking the new GPO and selecting “Import Settings…” from the context menu
Step 3: Import the FDCC GPO settings into your new empty GPO
Step 4: Review the imported settings and link the new FDCC GPO accordingly
Note to manage and review the Vista FDDC GPOs in your Windows Server 2003 environment, you will need to establish the ADMX central store in your forest. Steps to do this are outlined here: http://technet2.microsoft.com/WindowsVista/en/library/02633470-396c-4e34-971a-0c5b090dc4fd1033.mspx?mfr=true.
While this procedure is all well and good, it can still be a bit cumbersome to create new GPOs and walk through the wizard over and over again. After all, we have to do this every quarter and depending on how many domains and forests you might have, this can be a daunting task. To help with that, I have written a little script to make it easy to import the FDCC GPOs based on the GPMC scripting examples provided with the GPMC download. It uses the object model from GPMC, so you will still need to ensure that GPMC is installed and working on your platform. The script is pretty simple and requires a single argument – the folder path where you unzipped the FDCC GPOs (specified in the PATH argument).
cscript Import_FDCC_GPO_v1.1.vbs /PATH:”C:FDCCFDCC-Q3-2007-Final-GPO-20070730FDCC Q3 2007 Final GPOs”
The script takes a bit of the guesswork out of importing the FDCC GPOs. First, it enumerates the GPO folders in the FDCC download and allows you to choose which GPO you wish to import. Next, it enumerates the GPOs in the FDCC export and allows you to choose which GPO you wish to import. Once these choices are made, it creates a new empty GPO with a new GUID and the exact name of the FDCC GPO in your environment. After final confirmation, it then imports the settings found in the downloaded FDCC GPOs. An example of the script execution is provided below:
$cscript Import_FDCC_GPO_v1.1.vbs /PATH:"C:FDCCFDCC-Q3-2007-Final-GPO-20070730FDCC Q3 2007 Final GPOs"
The following FDCC GPO Folders are available:
Enter the number of the FDCC GPO Folder you wish to import: 2
1) FDCC Q3 2007 Vista-Specific Additional Settings
2) FDCC Q3 2007 Vista Security Settings
3) FDCC Q3 2007 Vista Firewall Settings
Enter the number of the FDCC GPO you want to import: 2
STEP 1: Starting GPO Import for FDCC Q3 2007 Vista Security Settings...
New GPO created
STEP 2: Align new GPO to FDCC GPO for import ...
Found GPO "FDCC Q3 2007 Vista Security Settings" for importing
STEP 3: Import FDCC GPO? (y or n) y
Importing "FDCC Q3 2007 Vista Security Settings"...
"FDCC Q3 2007 Vista Security Settings" successfully imported.
Would you like to import another FDCC GPO from this path? (y or n)
Based on user input, the script will loop through all of the FDCC GPOs and import them individually. GPOs are not linked since each organization will first need to carefully review the imported settings and each Active Directory environment is obviously different. The script also takes two optional arguments: /? – to display the script help information and /v – to display verbose debugging information while the script executes.
Just as the NIST and OMB exported FDCC GPOs attempt to make implementation and standardization of the settings easier, this script should take some of the bite and guesswork out of importing these GPOs into your organization’s Active Directory environment. I have included the source for the script below. Enjoy and hopefully this helps get your organization headed in the right direction with respect to FDCC!