Tuesday, July 31, 2012 10:04 PM
My ultimate goal is to have the MSS settings be present in gpedit (or equivalent) so I can configure them and have the settings deployed to a bunch of systems. (We have the infrastructure in place to do this already via GPOs—the trouble is the MSS settings.) A hackish way to do it is at http://www.cupfighter.net/index.php/2010/11/missing-mss-setting-windows-2008/, but I'd like to try to do it the right way.
The right way to do this, apparently, is to install the Security Compliance Manager. All I need is the LocalGPO.msi, which is supposed to give me a LocalGPO.wsf that I can use to get the MSS settings to appear in gpedit. (Ref. http://social.technet.microsoft.com/Forums/sk/winserverGP/thread/6fadb463-1f26-4594-b01e-eea8bf82e9cb, for instance.)
I am having great difficulty installing SCM 2.5 and have decided to give up. I have a W2K3 domain controller that we build GPOs in and export from (using GPMC). Evidently this type of environment isn't well-supported by SCM because SQL Server Express doesn't install nicely. I don't really feel like deploying a full SQL install since this seems like a ridiculous amount of overhead for me to get a single script.
So, here's my question: is there a way to rip apart the Security_Compliance_Manager_Setup.exe file to pull out the parts I need to get MSS settings? Or should I just hand-craft an administrative template to get the right settings? My other option would be to deploy registry settings, but on the off-chance they'll be overwritten by GPOs, this is really a last resort. Or, am I going about this completely wrong and there's some much easier way to get the MSS settings to show in gpedit?
Tuesday, August 07, 2012 7:25 PMI don't believe installing SCM (and the associated SQL install) is supported on a domain controller. Give it a try on a member server or a client and then grab the LocalGPO.msi.
- Marked As Answer by spakov Tuesday, August 07, 2012 11:36 PM
Tuesday, August 07, 2012 11:37 PMYep, that's the way to go, I guess. Thanks.
Friday, August 10, 2012 8:06 PMOwner
Jim is correct, that's the best way for most folks. You can manually update the GPO tools, as described in this other recent thread: http://social.technet.microsoft.com/Forums/en-US/compliancemanagement/thread/dd66dd86-0c08-4f19-8000-b2bb75e37b4f, but copying the installer for LocalGPO to the other systems is less complex.
Kurt Dillard http://www.kurtdillard.com
- Marked As Answer by Kurt DillardModerator Friday, August 10, 2012 8:36 PM