Some of you may have seen a twitter post I did a while back letting folks know about the Security Compliance Manager, which is a tool from Microsoft that lets you manage, edit, report, search and export security templates and baselines. This tool is pretty cool, but it also has a hidden gem in it. When you install the SCM, you will notice a folder within its program group called “LocalGPO”, which contains a package called localgpo.msi. When you run that MSI it installs some files within a folder on your hard drive, and one of those files is a script called localgpo.wsf. What this script can do is pretty cool. It can do 3 things against your local GPO that I really like:
- It can backup your local GPO to a GPMC formatted backup. Which means you could backup a local GPO and then use GPMC to import it into a domain-based GPO.
- It can take a GPMC backup of GP settings and import them into a local GPO on a machine.
- It can restore a local GPO to its default state.
These are three great features for managing the local GPO. Let’s take a look at how to use each. For backing up the local GPO, the syntax is simple:
From a command shell, I simply type:
cscript LocalGPO.wsf /path:c:\gpbackups /export
Where c:gpbackups is a path to where I want to store my backup and /export tells the script to export my local GPO settings.
Now if I want to import a GPMC backup into my local GPO, the syntax is even easier. I simply provide the path to the GUID-Named folder that GPMC creates under the backup directory when you back up a GPO, like this:
cscript LocalGPO.wsf /path:C:\gpbackups{42ADD8FE-EDF6-479B-92C6-557343D8D091}
And, to restore a local GPO to its default config:
cscript LocalGPO.wsf /restore
Pretty easy to use and this script seems to support every OS from XP to Win7. A couple of caveats however. In looking at the script, Microsoft is only supporting Administrative Templates and Security Policy within these backup and restore operations (understandable given the ship vehicle for this thing). So if you have other policies like Scripts or IE Maintenance within your local GPO, it won’t be captured. Also, the script does not appear to deal with the multiple local GPOs feature supported in Win Vista and above. So if you have per-user local GPOs, they are not captured–only the default local GPO.
That being said the script does provide some good basic functionality as well as a good instructional document on how to capture and reset security settings from the local GPO (which are essentially stored in the local SAM rather than on the file system as in domain-based GPOs).
Hope this proves useful to you!
Darren
Darren – This post is So Timely … I just found this tool earlier this month. I am working on incorporating this into my Desktop Build with MDT. Slick. I configure One machine with my required settings. I use the tool to backup those settings. Then I copy the required files and folders over and will use MDT to configure them into my image. I’ve been on to Microsoft for years about providing a utility to do this and they’ve finally produced something that seems pretty reliable. I’ve been using SECEDIT to import the Security Policy but now that you mention you think it’s supported, I’ll try it without and see if it supports those. The one issue I’ve run into is you have to ensure all the required files and folders that are required for the LocalGPO.wsf script are available on both ends. (In MDT that means in the Scripts (%SCRIPTROOT%) directory. Thanks for confirming that what I think is a good thing really is 🙂
Thanks Darren!
I’m lookinhg to do the same thing Callie is. Your instructions combined with Microsoft’s script will prove to be a big help.
The instructions are wrong. You forgot the backslashes.
It would actualy be cscript LocalGPO.wsf /path:C:\gpbackups\{42ADD8FE-EDF6-479B-92C6-557343D8D091}
and
cscript LocalGPO.wsf /path:c:\gpbackups /export
Thanks Justin. You’re right. Syntax corrected!