Set_FDCC_LGPO: Utility to apply FDCC settings to local group policy

[2009-04-15:  Attachment removed.  Bookmark this page for the latest versions of these utilities.] 

As promised in our webcast last week, we are publishing a utility that applies NIST’s current set of GPOs to the Local Group Policy of the computer on which you run it.  It — and the accompanying ReadMe.htm — are included as an attachment to this post.

As a bonus, we are also publishing the source code (separate post).

Set_FDCC_LGPO is provided “AS-IS” without warranty, and is not officially supported by Microsoft customer support.

Set_FDCC_LGPO is a non-interactive tool that applies the Q3 2007 FDCC desktop policy settings from NIST to local group policy and optionally to the security settings of the computer as well.


The utility requires administrative rights, and runs only on Windows XP Service Pack 2 or higher, or Windows Vista (RTM or higher).  If the utility is run without admin rights or on an unsupported platform, an error message is displayed in a message box dialog.


Command line syntax:


Set_FDCC_LGPO.exe [/Sec] [/log LogFile] [/error ErrorLogFile] [/boot]


/Sec                    Sets security policy settings in addition to registry-based (registry.pol) settings.


/log LogFile           Writes detailed results to a log file.  If this option is not specified, output is not logged nor displayed.


/error ErrorLogFile   Writes error information to a log file.  If this option is not specified, error information is displayed in a message box dialog.


/boot                  Reboots the computer when done.


Note that all the parameters are optional.  If run without parameters, it will apply the registry.pol settings but not the security policy settings (which can override domain policy settings), not write a log file, but display an error message if an error occurred.


This utility is not a console app, so you won’t see a console window appear, and if you start it from a CMD prompt, it will run in the background – CMD won’t wait for it to complete.  You can check in TaskMgr to see when it completes.  If you want CMD to wait for Set_FDCC_LGPO to complete, run the utility with “start /wait“.


The various registry.pol and gpttmpl.inf files from the expanded FDCC GPO folders are embedded in the executable.  The appropriate policies are applied based on whether run on XP or Vista.  For the registry.pol files, the files are parsed and Group Policy APIs are used to apply them to local policy.  If you specify /sec to apply the gpttmpl.inf security templates, it runs secedit.exe for each of the appropriate settings files.  You may see secedit.exe in the process list, but no visible window for it.


The main scenarios where you’d want to use the /Sec parameter are when the computer is not subject to domain policies – e.g., during image build, or for standalone/workgroup systems.


Comments (10)

  1. Anonymous says:


    I do not have AV on the system.  I’ll have to double check about the status of Windows Firewall though.

    I did have an interesting work around.  Running Set_FDCC_LGPO records error 0x80070020 into my log as previously stated.  If I run the utility a second time it seems to take and my error log is then clean.

  2. Anonymous says:

    I am running the utility on a clean installation of XP Pro SP2 as an administrator and it completes without error.  Yet when I check my error log file I see the following:  User policy save failed; error code 0x80070020.

    Any thoughts or suggestions?  Thank you.

    [Aaron Margosis]  That error code appears to be associated with the text, "The process cannot access the file because it is being used by another process." 
    KB 883825 suggests that it may be due to anti-virus performing real-time scanning.  Do you have AV running on your system?

  3. Anonymous says:

    The utility for applying FDCC configuration settings en masse to a computer has been updated: The 0x80070020

  4. Anonymous says:

    Also, these two service settings are in the tool but not defined by FDCC: aspnet_state and Dnscache

    [Aaron Margosis]  Whatever is in the tool comes from the NIST GPO downloads.

  5. Anonymous says:

    Set_FDCC_LGPO utility updated to conform to NIST’s 2008 Q3 update (FDCC Major Version 1.0). Set_FDCC_LGPO is a utility to apply FDCC settings to Local Group Policy.

  6. Anonymous says:

    Set_FDCC_LGPO – source code and Visual Studio project files.

  7. Anonymous says:

    Set_FDCC_LGPO utility updated to conform to NIST’s 2008 Q1 update. Set_FDCC_LGPO is a utility to apply FDCC settings to Local Group Policy.

  8. Anonymous says:

    These three service settings are missing from the tool: W3SVC, Fax, and MSFtpsvc

  9. Bhavin Bhatt says:

    Where to download the actual file ?

    I tried to go to :…/
    and got a HTTP-404 error

    [Aaron Margosis]  Which actual file?  The GPOs?  This is the content page:

    Scroll down to find the links to the downloads.