[2009-04-15: Attachment removed. Bookmark this page for the latest versions of these utilities.]
As promised in our webcast last week, we are publishing a utility that applies NIST’s current set of GPOs to the Local Group Policy of the computer on which you run it. It — and the accompanying ReadMe.htm — are included as an attachment to this post.
As a bonus, we are also publishing the source code (separate post).
Set_FDCC_LGPO is provided “AS-IS” without warranty, and is not officially supported by Microsoft customer support.
Set_FDCC_LGPO is a non-interactive tool that applies the Q3 2007 FDCC desktop policy settings from NIST to local group policy and optionally to the security settings of the computer as well.
The utility requires administrative rights, and runs only on Windows XP Service Pack 2 or higher, or Windows Vista (RTM or higher). If the utility is run without admin rights or on an unsupported platform, an error message is displayed in a message box dialog.
Command line syntax:
Set_FDCC_LGPO.exe [/Sec] [/log LogFile] [/error ErrorLogFile] [/boot]
/Sec Sets security policy settings in addition to registry-based (registry.pol) settings.
/log LogFile Writes detailed results to a log file. If this option is not specified, output is not logged nor displayed.
/error ErrorLogFile Writes error information to a log file. If this option is not specified, error information is displayed in a message box dialog.
/boot Reboots the computer when done.
Note that all the parameters are optional. If run without parameters, it will apply the registry.pol settings but not the security policy settings (which can override domain policy settings), not write a log file, but display an error message if an error occurred.
This utility is not a console app, so you won’t see a console window appear, and if you start it from a CMD prompt, it will run in the background – CMD won’t wait for it to complete. You can check in TaskMgr to see when it completes. If you want CMD to wait for Set_FDCC_LGPO to complete, run the utility with “start /wait“.
The various registry.pol and gpttmpl.inf files from the expanded FDCC GPO folders are embedded in the executable. The appropriate policies are applied based on whether run on XP or Vista. For the registry.pol files, the files are parsed and Group Policy APIs are used to apply them to local policy. If you specify /sec to apply the gpttmpl.inf security templates, it runs secedit.exe for each of the appropriate settings files. You may see secedit.exe in the process list, but no visible window for it.
The main scenarios where you’d want to use the /Sec parameter are when the computer is not subject to domain policies – e.g., during image build, or for standalone/workgroup systems.