Using LocalGPO.wsf for standalone PC's
-
Tuesday, November 15, 2011 8:53 PM
I am new to SCM and have read nice things about the new lgpo tool. I have edited a local user policy on a kiosk machine and want to export and put on other kiosk PC's. I need some direction on exactly how i need to do that. When I do the standard localgpo.wsf syntax options, does it take "all" policies from the machine or just the base administrative and user policies?
All Replies
-
Wednesday, November 16, 2011 4:03 PMOwnerThe Local Policy Tool retrieves everything that's stored in the local GPO, so it won't include system services configuration, file system permissions, registry permissions, or administrative template settings delivered via domain-based group policy. Be sure to read the section called "Introducing the Local Policy Tool" in the Windows Server 2008 R2 SP1 Security Guide. I think you should spend some time experimenting with it. Another approach would be to configure the baseline exactly how you want it in SCM, and then apply it to the kiosk PCs using LocalGPO.
Kurt Dillard http://www.kurtdillard.com -
Wednesday, November 16, 2011 4:27 PM
Lets say I created a local user named kiosk1 and set some restrictions in the MLGPO just for that user name so only the kiosk1 user has limited access to the machine. So your saying those changes will come over as well when i do the export?
-
Wednesday, November 16, 2011 7:49 PM
No... the exported GPO Backup will only include what is configured in the Local Policy. MLGPO and Local Policy are separate.
However, you can use LocalGPO to configure MLGPO... it can apply a GPO backup to MLGPO.
Here is the approach I would follow:
- Configure the restrictions directly in Local Policy or in a GPO.
- Create a GPO Backup using "LocalGPO /Path:<path to folder> /Export" or GPMC.
- Apply the GPO Backup using "LocalGPO /Path:<path to GPO Backup root folder> /MLGPO:Kiosk1"
A variation of this approach that might prove helpful is to create a GPOPack in #2. The GPOPack is more portable... search for GPOPack in SCM Help.
-
Wednesday, November 16, 2011 8:14 PM
No... the exported GPO Backup will only include what is configured in the Local Policy. MLGPO and Local Policy are separate.
However, you can use LocalGPO to configure MLGPO... it can apply a GPO backup to MLGPO.
Here is the approach I would follow:
- Configure the restrictions directly in Local Policy or in a GPO.
- Create a GPO Backup using "LocalGPO /Path:<path to folder> /Export" or GPMC.
- Apply the GPO Backup using "LocalGPO /Path:<path to GPO Backup root folder> /MLGPO:Kiosk1"
A variation of this approach that might prove helpful is to create a GPOPack in #2. The GPOPack is more portable... search for GPOPack in SCM Help.
So what you are telling me is I wasted my time editing policy settings/restrictions for that local user only since i can only APPLY backups or packs to an individual account...LOL :) not the other way around?I see the point, I am just frustrated I got the local user just the way we need it, and now have to go over all of those gpo settings and recreate it again on a different machine before I can export it and start using GPOpacks to apply to the other 20-30 kiosks..lol
-
Wednesday, November 16, 2011 9:31 PM
I wouldnt say you wasted your time... there is no better way to "test" the restrictions you are putting in place than by doing what you have done.
While you could follow the approach you outline above, and reconfigure *all* settings on another computer, there are many other options... here is one approach:
- Configure a single User setting in the Local Policy of the Kiosk computer
- Use LocalGPO to export a GPO Backup or GPOPack
- Copy the "registry.pol" file from "c:\Windows\System32\GroupPolicyUsers\<SID>\User" (you should only see one if Kiosk1 is the only local user with an MLGPO)
- Paste the "registry.pol" file over the ..\User\registry.pol inside the GPO Backup or GPOPack created in Step #2
You will then have a GPO Backup or GPOPack with *all* the settings originally configured for Kiosk1 in MLGPO. You can then apply this GPO Backup or GPOPack using the MLGPO option to configure other users the same as Kiosk1.
Now you can really LOL from all the time you've just saved! ;-)
- Marked As Answer by dshonwood Wednesday, November 16, 2011 9:47 PM
-
Wednesday, November 16, 2011 9:49 PM
Thank both of you for your replies. I am slowly but surely getting my feet wet with SCM and the wonderful GPO tool. I still have alot of reading and experimenting to go. You both put me in the right direction.
Thanks again.
-
Wednesday, April 25, 2012 2:47 PM
Can this also be used with a MLGPO created with mmc.exe that is for non-administrator accounts only on a machine? I also have a group of stand-alone PCs for our libraries. I am making a kiosk type setting that I need to deploy to all the machines using scripts pushed down from a server (no manual setups). The mmc creates a .msc file with the policies. How can that be incorporated with the LocalGPO tool?
Thanks!
Sara
-
Wednesday, April 25, 2012 5:59 PMOwner
Sara,
I'm not sure that I follow what you are saying. A .msc file has nothing to do with local GPOs or MLGPOs, its the format used for MMC snap-ins. The MMC-based tool for editing the local GPO is gpedit.msc, but that file doesn't actually contain the local GPO.
I believe that you can use the LocalGPO tool to apply the user settings to the kiosk user account with the MLGPO switch that Jose describes in his posts in this thread, e.g. /MLGPO:KioskUser. Have you tried that?
Kurt
Kurt Dillard http://www.kurtdillard.com
- Edited by Kurt DillardModerator Wednesday, April 25, 2012 8:14 PM
-
Wednesday, April 25, 2012 8:15 PMOwner
Sara,
Here's some more information from Jose, Jofer is his username in the TechNet Forums...
The steps for what the user wants to do require creating a GPO backup with all the right\desired\required user settings, and using LocalGPO to apply them to all the other computers thru scripts. This is much easier done with GPOPacks as it eliminates having to install LocalGPO.
In other words, a GPOPack with all the right user settings can be applied to the MLGPO using the following command line:
In this example, settings would affect all local admins:
<dir><dir></dir></dir><dir><dir></dir></dir><dir><dir>Cscript GPOPack.wsf /MLGPO:Administrators /silent
Cscript c:\gpopack\GPOPack1\GPOPack.wsf c:\gpopack\GPOPack1 /MLGPO:Users /silent
That command line affects all local users on the computer.
In this example, a "specific" local user would get the settings:
<dir><dir></dir></dir>Cscript GPOPack.wsf /MLGPO:SpecificLocalUser1 /silent
</dir></dir>If running the GPOPack.wsf file from outside the GPOPack’s root folder… the command-line needs to reference the path to GPOPack.wsf:
<dir><dir></dir></dir>Kurt Dillard http://www.kurtdillard.com
-
Wednesday, May 09, 2012 11:39 AM
Hi,
I used my gpedit.msc to create my PLGPOs, Local Computer Policy and Non Administrator Policy. Then I used GPOPack to export the settings and I ran the secedit command on the second PC (without installing GPOPack since it's not necessary.
The result was that the Local Computer Policy applied to the second PC but not the Non-Administrators Policy.
Any idea why?
Reading this post it sound like I should be able to replicate/copy both GPOs using GPOPack.
Regards,
Anne
http://mpsbroadband.com
-
Wednesday, May 09, 2012 2:55 PMOwner
Anne;
I apologize but I can't follow your procedures. What do you mean by PLGPO? Did you use the /mlgpo switch when exporting the local GPO? Why are you using secedit? Just use localgpo to export the gpopack, then run gpopack.wsf on the target machine. If you provide the exact commands that you are entering on both the source and target machine we might be able to help you more effectiely.
Kurt
Kurt Dillard http://www.kurtdillard.com
.png)
