SCM v2 Beta: LocalGPO Rocks!

This is a guest blog post by Alan Burchill who is an IT Consultant for over 10 years and a Group Policy MVP. He is also the author of the Group Policy Center web site and you can also follow him on twitter at @alanburchill.

Along with the recent release of the Security Compliance Manager v2 Beta Microsoft also released an update to the LocalGPO tool. This tool allows you to do a whole bunch of cool stuff to manage the local Group Policy setting on a computer. This is very handy if you need to apply security setting to non-domain joined computers in your organization (e.g. DMZ Servers).

This tool has always allowed you to take a backup of a domain based Group Policy Object and apply it to a non-domain joined computers (very handy). But the new version of this tool has now been updated to make it even easier to automate the process of applying this security setting.

If you have not come across this fantastic tool before, I will first go through some of the basics to get you started.

How to Install LocalGPO

The installation files for LocalGPO are actually copied to your computer when you install the Security Compliance Manager v2 Beta. Once installed you can then find the install files at “C:\Program Files (x86)\Microsoft Security Compliance Manager\LGPO”.

Simply install the “LocalGPO.msi” by clicking Next>Next>Finish (or something like that) and you are ready to use the tool.

You can verify that the tool is installed by making sure there is a program group called “LocalGPO” in your start menu.

TIP: When you run the “LocalGPO Command-line” tool always make sure you right click on it and select “Run As Administrator”.

Now that you have the LocalGPO tool installed on your computer I will cover how you can use the tool to export and import setting for your computer.

How to export local Group Policy Settings using LocalGPO

Typically you would only want to export the setting on you “gold” or “master” image computer. Just remember what ever security setting you have applied to this will be exported using the LocalGPO tool.

TIP: You can of course review the setting you have exported if you import it into the SCM v2 using the new Import GPO feature.

The command to export the local setting is:

cscript LocalGPO.wsf /Path:c:\GPOBackups /Export

Note: The path you specify that you are exporting the settings to much exist otherwise the command will fail.

If you are familiar with what a GPO backups looks like you will notice it saves the files in a similar format (well that’s mainly because it is the same). You can now import this GPO backup to another computer using the LocalGPO tool or import it into a domain Based GPO using GPMC.

How to make a GPOPack using LocalGPO

One of the new features of the LocalGPO tool is the ability to export the local Group Policy setting as a GPOPack. A GPOPack allows you to apply the same setting to any computer but without having to install LocalGPO first.

The command to make a GPOPack is very similar:

cscript LocalGPO.wsf /Path:c:\GPOBackups /Export /GPOPack

Note: If you used the /GPOPack switch with a name (e.g. /GPOPack:GPOBackupName ) then you will NOT be able to import this into GPMC. But specifying a name does make it easier to type via a command line as you don’t need to remember and type the GUID in the path.

If you take a look at the GPOPack files you will notice it has created three extra files. These files enabled you to apply this pack to any other computer without having to installing the LocalGPO tool.

How to apply local group policy settings using LocalGPO

Now that you have exported the local Group Policy as a GPO Backup and a GPOPack I show how you can apply these settings to another computer.

If you have the LocalGPO tool installed you can use the tool to import/apply any valid GPO Backup, such as:

  • Backup of a GPO from GPMC
  • Export of Baseline from the Security Compliance Manager
  • Export of a local policy setting using the LocalGPO tool

The command to import the GPO Backup we exported above is:

C:\Program Files (x86)\LocalGPO>cscript LocalGPO.wsf /path:C:\GPOBackups\{865A8CE1-9AFE-4F04-B9D4-A47A75337F50}

The output of the command above can be seen below.

While it’s great that this import process work with any type of GPO Backup the obvious hassle is you need have the LocalGPO tool installed. This is where the new GPOPack feature for the LocalGPO command can come in handy.

How to import/apply a GPOPack generated via LocalGPO

As mentioned before a GPOPack is nothing more than a regular GPO Backup that has three extra files. You can thus use these GPOPack’s to apply the security setting to any computer without the need to install the LocalGPO tool. Put simply it is a standalone method of applying security setting to your computers.

Below is command line to apply a GPOPack that we created in the above example:

cscript c:\GPOBackups\{FB8F8D45-7146-4DD9-9F99-A495E871D0BF}\GPOPack.wsf /Path:C:\GPOBackups\{FB8F8D45-7146-4DD9-9F99-A495E871D0BF}

Note: The GPOPack.wsf is one of the files that is included in the GPOPack that is created and it the command you need to run to install the pack on any computer.

You may notice that you get a pop-up message when you run this command. This can be suppressed by adding the “/silent” switch (see image below).

So now that you have played with LocalGPO you can start to apply a GPOPack to your computer build process for you non-domain joined computers. Just remember that when you apply the GPOPack the command needs to run from the local hard drive due to the security restrictions of the secedit.exe command so you will need to wrap this command in a script to copy the files locally before running the command.

But wait there is more…

If all this wasn’t enough, you can also use the LocalGPO to help audit the security setting of your non-domain joined computers. To do this, export the Local GPO settings from a computer and then import it into SCM v2 using the “Import GPO” option. You can then run this process at regular intervals and compare them with previous baselines to make sure your server configuration has not recently changed.

While it might not be as easy as applying a domain based GPO’s, the LocalGPO tool will save you a heap of time generating and applying security settings to you non-domain joined computers in your environment. If you are an IT Security Auditor or just an IT Pro wanting to make your environment more secure then this is a must have tool.

And best of all… it’s FREE!

You can get your hand on the LocalGPO tool right now as part of the Security Compliance Manager v2 Beta.


Comments (9)

  1. Anonymous says:

    Thanks Jason. I will tell Alan you loved his post. Hey, how come I don't get this kind of love on my post's?!?! 🙂

    I agree with you Jason, awesome feature request. That's how we take LocalGPO to the next level. I'll share this feedback with the team and we'll consider for the next version!


  2. Anonymous says:

    Is there a way to go from backed-up Domain GPO to GPOPack?  I'd essentially like to just be able to take my Domain GPO backups, and apply them to my non-domain computers.

  3. jpswade says:

    The images are missing.

  4. Anonymous says:

    Great feedback Ken – you're right on. We need to do this in the UI too – I agree…. -jeff

  5. Anonymous says:

    I am having an issue with localGPO export. At some point when changing local policy some f my user rights assignments stopped getting exported. Does any one know why this is the case?

  6. Jason Ferguson says:

    Firstly this is a brilliant tool and an excellent post. This is mostly a wish / request but it would be great if you could export the effective policy from a PC with this tool (i.e. result of RSOP) to a GPO backup.

  7. Ken Wachter says:

    Assuming I undstand all the information given here, this is good progress on this tool as many of us must configure non-domain or standalone systems.  The ideal next feature I'd like to see is the ability to create a GPOPack from within SCM.  That way I could do all the administrative work from within SCM, create the GPOPack using SCM, and then apply the GPOPack to the standalone target systems without installing the LocalGPO tool.


  8. rick fell / chevron says:

    Where does this leave the MMC snap-in for Security Configuration and Analysis ? Will there be import .inf's security templates that support SCAP files ? Looking for a 'free' tool that's already on the OS, that I can run audit compares of a systems config against a baseline and report out.

  9. Jim says:

    Why wasn't this done in powershell instead of vbscript?  Will there be a version done in powershell?