LocalGPO not applying all GPOs exported from SCM GPO Backup
Hi,
I'm trying to set a security baseline using SCM and the LocalGPO command line tool.
Basically, I've installed SCM, and saved a backup of the baseline, and then run the cmd line tool.
I get the following output.
C:\Program Files (x86)\LocalGPO>LocalGPO.wsf /Path:C:\LocalGPO\{037d9a35-bf17-4c
80-b746-28935b301e61}
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Modifying Local Policy... this process can take a few moments.
Applied valid INF from C:\LocalGPO\{037d9a35-bf17-4c80-b746-28935b301e61}
Applied valid Machine POL from C:\LocalGPO\{037d9a35-bf17-4c80-b746-28935b301e61
}
No valid User POL to apply in C:\LocalGPO\{037d9a35-bf17-4c80-b746-28935b301e61}
Applied valid Audit Policy CSV from C:\LocalGPO\{037d9a35-bf17-4c80-b746-28935b3
01e61}
Local Policy Modified!
Please restart the computer to refresh the Local Policy
The machine is a domain member already, is this were I'm going wrong?
I figured you could apply local GPO's to servers as long as the Domain GPO didn't override which is our case.
Anyway, when I reboot the machine, some changes are applied, and some aren't.
Can anyone help?
Thanks
May 26th, 2010 4:01pm
Hi,
Did you find the answer to this by any chance?
Applied valid INF from C:\LocalGPO\{037d9a35-bf17-4c80-b746-28935b301e61}
Applied valid Machine POL from C:\LocalGPO\{037d9a35-bf17-4c80-b746-28935b301e61
}
No valid User POL to apply in C:\LocalGPO\{037d9a35-bf17-4c80-b746-28935b301e61}
Applied valid Audit Policy CSV from C:\LocalGPO\{037d9a35-bf17-4c80-b746-28935b3
01e61}
Local Policy Modified!
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2011 4:27pm
Figured out the answer. The LocalGPO.wsf script that comes with SCM has an issue with spaces in the names of folders, and is not finding the Audit.csv file, nor the Security file. There is no user pol that gets created for some of the GPO's that
get created by SCM, so you will not get that policy pushed.
If you examine the folder structure of the GPO backup, you'll notice that there are folders that represent the different parts that are getting affected by the Policy. You'll see two folders "Machine" and "User" if there are both Machine policies and
user policies that are being affected by the changes you've made within SCM.
You'll also notice a folder underneath the Machine folder call microsoft, and within that a folder "windows nt". This folder is where the audit and Security database files live, under "Audit\audit.csv" and "SecEdit\GptTmpl.inf" This would be all
fine and good and will work like a charm. If you make on change to the LocalGPO.wsf script as well as a change to the folder structure. You have to take the space out of that folder "windows nt", and change the references to it in the LocalGPO.wsf
script accordingly.
Line 554
strInfPath = strBackupGPOPath & "\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"
And line 557
strCsvPath = strBackupGPOPath & "\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\Audit.csv"
Should be changed to
strInfPath = strBackupGPOPath & "\DomainSysvol\GPO\Machine\microsoft\windowsnt\SecEdit\GptTmpl.inf"
strCsvPath = strBackupGPOPath & "\DomainSysvol\GPO\Machine\microsoft\windowsnt\Audit\Audit.csv"
Save the script, or do a save as to another name. Run the new name with the same variable /Path:Full path to GPO backup folder
And you should see Audit and Security run successfully and all of the you wildest security dreams of pushing all of that out with a script come true.
SMR
March 21st, 2011 11:49am