Apply_LGPO_Delta 1.0: utility to apply custom changes to Local Policy

[2009-04-15:  Attachment removed.  Bookmark this page for the latest versions of these utilities.]  Apply_LGPO_Delta v1.0 is a non-interactive tool that is designed to help make automated changes to Local Group Policy.  It can make changes to registry-based policy as well as apply security templates.  The primary intended scenario is to apply custom changes to FDCC policies after having…

Utilities for automating Local Group Policy management

Update, 21 January 2016: LGPO.exe is a new command-line utility to automate the management of local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped with the Security Compliance Manager (SCM), and the Apply_LGPO_Delta and ImportRegPol tools. Features: Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol),…

Webcast for upcoming Local GPO tool

Updated, 28 April 2008 We’re preparing a new utility for public release and will be demonstrating it in a webcast on Thursday, May 8, 2008 Tuesday, April 29, 2008, 2:30pm Eastern time. The utility is called Apply_LGPO_Delta, and makes it possible to automate custom changes to local group policy.  It is intended to be used in…


Set_FDCC_LGPO: Updated for 2008 Q1

[2009-04-15:  Attachment removed.  Bookmark this page for the latest versions of these utilities.]  Set_FDCC_LGPO is a utility that we released in December that applies the Group Policy Objects provided by NIST on their web site to the Local Group Policy on the Windows XP or Windows Vista computer you run the tool on. As NIST has recently updated…


Internet Explorer security setting, "Java Permissions: Disable Java"

[Authors:  Aaron Margosis and Shelly Bird] We recently noted in testing some problems with the Disable Java setting.  We had stated in a recent FDCC LiveMeeting that the “Java Permissions/Disable Java” IE security zone settings only apply to the Microsoft Java Virtual Machine (MSJVM).  Our testing at larger enterprises did seem to confirm this:  numerous…


Update: Importing FDCC Group Policy Objects Script Error Resolved

Author:  Joel Yoker, Principal Consultant   A reader recently sent in a question about the GPO Import script and a syntax error they received at line 356.  We were able to reproduce the error and it appears to be a “cut and paste” error between the blog post and Notepad.  It appears that that carriage…


Script a Custom Power Management Policy

Author: Paul Fox, Senior Consultant Scenario: A customer wants a custom power plan for their laptop images. This is a frequent request to meet new Green initiatives in Federal and State governments. Here are the steps to incorporate a scripted power configuration. The resulting install.cmd can be embedded into a task sequence of Microsoft Deployment Toolkit….


Why don’t all of the FDCC settings appear in the Group Policy Editor?

Author: Mandy Tidwell, Senior Consultant    As many of you may have noticed, the FDCC Group Policy settings spreadsheet and FDCC Group Policy Objects (GPOs) downloaded from NIST ( contain settings that are not exposed by default in the Group Policy Editor interface.  These settings are easily identified in that they all begin with MSS….


FDCC Webcast: FIPS Challenges – Q & A

Author: Paul Fox, Senior Consultant   Question: Is it possible to save more than 1 Set of Recovery Keys to a single USB drive? Answer: Yes, you can save multiple BitLocker recovery keys to single USB drive. The size of a key is 124 bytes.  More information can be found at Question: Is the…