Apply_LGPO_Delta 1.0: utility to apply custom changes to Local Policy


[2009-04-15:  Attachment removed.  Bookmark this page for the latest versions of these utilities.] 

Apply_LGPO_Delta v1.0 is a non-interactive tool that is designed to help make automated changes to Local Group Policy.  It can make changes to registry-based policy as well as apply security templates.  The primary intended scenario is to apply custom changes to FDCC policies after having applied those policies to Local Group Policy using a tool such as Set_FDCC_LGPO.

The utility requires administrative rights, and runs only on Windows XP Service Pack 2 or higher, or Windows Vista (RTM or higher).  If the utility is run without admin rights or on an unsupported platform, an error message is displayed in a message box dialog.

More information is available in the documentation (Apply_LGPO_Delta.htm) included in the zip file attached to this blog post.  The zip file also includes the utility, a set of starter input files representing common requested changes, and a batch file demonstrating command line syntax and conditional execution following Set_FDCC_LGPO.

Source code in the form of a Visual Studio 2005 VC++ project is available here.

 

Comments (14)

  1. Anonymous says:

    [Aaron Margosis] My apologies for delayed response.  At this point we haven’t opted to post anything that claims to revert FDCC settings to defaults, because it is difficult to assure that you are getting 100% reversion to pre-application state.  This is
    especially true with the file ACL edits that FDCC applies on XP systems, as well as with security options.

    The way I personally prefer to work for all my development and testing purposes is to use virtual machine technology (such as

    Virtual PC
    ,
    Virtual Server
    , or
    Hyper-V
    ) with "undo disks".  This gives me guaranteed 100% reversion with no side effects from previous testing.  On physical (non-virtual) systems, I prefer just wiping/loading from a well-defined repeatable deployment image.

    For production systems, I don’t understand why you would ever want to completely revert to defaults after applying FDCC settings.

  2. Anonymous says:

    Apply_LGPO_Delta, a utility for automating the management of local group policy, is updated with a minor fix to prevent sharing-violation errors. The set of "starter" files is also updated.

  3. Anonymous says:

    You could post it on another URL and then post the link here. I would be very interested in taking a look at and testing the files a little myself.

  4. Anonymous says:

    TO: rliepins,

    Would it be possible to see what your template and registry based files look like?  We are also working to customize the latest released Q3 version of FDCC and rollback some of the settings using the LGPO_Delta utility.

    Thanks,

    Singood

  5. Anonymous says:

    if you would like rliepins, attach the documents and send them to my public profile email, and I can upload them to some web space for you an post a link. Just be sure you give me permission to distribute them in the email, and I will post the link here.

  6. Anonymous says:

    I have been working on a set of template files to back out of all FDCC settings, mainly to see if it could be done, but also to provide for those instances where a computer needs to be ‘reset to defaults’ to make sure it isn’t FDCC causing an issue.

    Anyway, for Windows XP, I needed to create both security templates and registry-based policy files.  The result is a pretty close cleansing of the settings, but there have been a few settings that I could not back out of, no matter if I used the registry based policy files to delete the registry entry (thus, supposedly making the control "not configured") or a security template to null the entry.  So far, no luck for this list of 6, which are part of the MSS added entries.

    If I could get more information on how to remove the registry entries, I would be most appreciative.

  7. Anonymous says:

    Another option to this is that the command scripts we created also included a command line ntbackup line to back up the system state.  This could also be used to revert a system back to pre FDCC settings.

    [Aaron Margosis]  So…  for Set_FDCC_LGPO there are two setting types that are applied: 

    • security settings:  these can be edited using secpol.msc and are applied to the system by Set_FDCC_LGPO using secedit.exe; and
    • true policy settings:  these can be edited using gpedit.msc, and are applied to the system by Set_FDCC_LGPO using policy APIs.

    To revert the security settings, which generally don’t have a "not configured" that you can roll back to, the best approximation to a rollback is to run secedit.exe before applying FDCC settings to get a snapshot of the current system; then use that
    later to restore settings.

    To revert the policy settings, simply set all the applied settings back to "not configured".  One way to do that is to run Set_FDCC_LGPO with the /log option, then take the /log output and change it into an input file for Apply_LGPO_Delta, where all
    the settings that are applied get deleted.

    Note that this will only be an approximation of a rollback, not a 100% rollback, and that it doesn’t touch file ACL or service configuration settings.

  8. Anonymous says:

    Attachments might be an option – although I don’t readily see how to do so…maybe A. Margosis might chime in and assist with providing all of us the ability to check out the rollback templates that rliepins developed?

  9. Anonymous says:

    That is not the purpose, nor target market of the document proposed. It is simply for testing purposes. Also, no two applications are exactly the same. Looking at work someone else has done can help if a problem arises in the future with the FDCC (as many
    have already), and allow a quicker solution than having to wipe a system and re-image.

    While most tools on this website are offered on the "AS-IS" basis, it had become my impression the objective of the forum was to offer better "understanding" through a variety of ways. Applying a different INF file and comparing would certainly help me as
    well as at least one other (Singood).

    [Aaron Margosis]  As I understood it, the request was for help composing scripts/templates to "undo" application of FDCC settings.  In my work I strive for results that are accurate and complete, and in this case that is difficult to achieve at best. 
    As I mentioned, IMHO there are better options.  Using virtual machines with "undo disks" is actually faster than running "undo" scripts and gives you much cleaner results.

  10. Anonymous says:

    I tried contacting him regarding attaching the templates, but have heard no response back.

  11. Anonymous says:

    I have been working extensively in the virtual environment for testing.  It has been the best thing for this.

    As for what has been created, the scripts I created were to automate the implementation of FDCC with our line office "exceptions" which are temporary at best, anyway.  THe scripts to remove all the settings were worked on for those field systems that don’t have any local IT support and give the end user a troubleshooting technique to revert their system back to default settings.

    As I don’t have enough expertise to take a snapshot of all settings, put them in a template file and revert to those settings, I did the research necessary to try to revert to as close as possible to XP default settings.  It was a long process.

    But these may be of use to people – to get a good understanding of what is happening under the hood.  I’d still be willing to let everyone see what I set up.  Plus it would help to get feedback.  I just can’t do it on a personal blog.  I am sure there are some sort of federal ethics rules I would be bending.

    How about setting up new blog entries to go over specific settings for the registry based template files and security templates.  We could discuss various aspects of what settings could be reverted to, etc.

  12. Anonymous says:

    Our Apply_LGPO_Delta application repeatedly produces the following error in the error log file:

      Policy save failed; error code 0x80070020

    The log file itself ends with the following:

     —-Un-initialize configuration engine…

     SECEDIT.EXE exited with exit code 3

    Any clues?  It sounds similar to the errors the old version of Set_FDCC_LGPO was receiving.

    Any help would be most appreciated.

    [Aaron Margosis]  Apologies for the delay.  Apply_LGPO_Delta has now been updated with the same fix: 
    http://blogs.technet.com/fdcc/pages/LGPO-Utilities.aspx

  13. Anonymous says:

    I would, but I am not sure if posting them here is the best place for this.

    Is the admin willing to allow for us to upload template files?