none
LocalGPO does not import all settings within the .pol file

    Question

  • This is a followup to a post I made to a different stream, in order to provide clarification.

    We are creating custom baselines for standalone systems (Windows 7 in this case). These systems are not a part of an Active Directory infrastructure. Because SCM does not include all of the possible settings, we created custom registry.pol files that do include those settings. What we have found is that LocalGPO does not import those settings. It only appears cognizant of those settings that can be configured via the SCM. Any customized setting, such as remove "My Documents" from the desktop, prevent users from sharing files within their profile, Turn off Help Experience Improvement Program, etc., are lost when the import is performed. LocalGPO does not report an error when the import is executed.

    Friday, April 27, 2012 4:14 PM

Answers

  • Our steps are as follows:

    Create a custom registry.pol file containing the desired user configuration. We did this via gpedit on the Windows 7 machine.

    Create a GPOPack with the desired machine level settings. This is facilitate by a custom secregvl.inf that is imported into the machine using the Security Configuration and Analysis tool.

    After creating the GPOPack, replace the User .pol file with the custom .pol file.

    Attempt to import this GPOPack into a "clean" Windows 7 machine. The subject user controls are missing.

    Wednesday, May 02, 2012 11:34 AM

All replies

  • Penguin,

    Thanks for reposting to this new thread.

    LocalGPO only interacts with settings stored in the local group policy object (LGPO). I don't know what your custom .pol files include or how you are applying them to the computer, but if they are not applied to the LGPO then our tool will not be aware of them. In other words, if your using .pol files to poke registry values in various locations LocalGPO won't pick up those changes because it only manipulates whats configured via LGPO. LocalGPO doesn't copy the entire computer registry hive or the entire current user registry hive, it only manipulates the LGPO. Does that make sense?

    Regards,

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Monday, April 30, 2012 3:24 PM
  • I understand what you've said but the .pol file we are using was created using the native Group Policy Editor in Windows 7. Shouldn't LocalGPO be able to configure those same settings?

    Monday, April 30, 2012 4:33 PM
  • Yes, LocalGPO should export settings configured with gpedit.msc. What settings are you configuring that are being omitted? 

    Kurt Dillard http://www.kurtdillard.com

    Monday, April 30, 2012 4:54 PM
  • As noted in the original post, some of the settings we are using include:

    remove "My Documents" from the desktop

    prevent users from sharing files within their profile

    Turn off Help Experience Improvement Program

    Turn off Help Ratings

    Tuesday, May 01, 2012 11:14 AM
  • Penguin;

    When you want to discuss specific settings its really helpful if you include the entire path, not just the setting name. It took me a while to track down the locations of those 4 settings. I configured in the local GPO of a Windows 7 computer using gpedit.msc, then export the LGPO using the LocalGPO tool. I opened the registry.POL file in the user folder of the GPO backup created by LocalGPO and see the following 4 entries which correspond to those 4 settings:

    [Software\Microsoft\Windows\CurrentVersion\Policies\Explorer;NoInplaceSharing;;;]
    [Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum;**del.{450D8FBA-AD25-11D0-98A8-0800361B1103};;;]
    [Software\Policies\Microsoft\Assistance\Client\1.0;NoExplicitFeedback;;;]
    [Software\Policies\Microsoft\Assistance\Client\1.0;NoImplicitFeedback;;;]

    I then imported the GPO backup into a blank GPO on a domain controller running Windows Server 2008 R2 and see all 4 of those user settings configured. In other words, I cannot see the problem with LocalGPO that you describe.


    Kurt Dillard http://www.kurtdillard.com

    Tuesday, May 01, 2012 5:07 PM
  • Our steps are as follows:

    Create a custom registry.pol file containing the desired user configuration. We did this via gpedit on the Windows 7 machine.

    Create a GPOPack with the desired machine level settings. This is facilitate by a custom secregvl.inf that is imported into the machine using the Security Configuration and Analysis tool.

    After creating the GPOPack, replace the User .pol file with the custom .pol file.

    Attempt to import this GPOPack into a "clean" Windows 7 machine. The subject user controls are missing.

    Wednesday, May 02, 2012 11:34 AM
  • One other note on this, similar to your results with the Windows 2008 Server above, if one sets the configuration settings using gpedit, then uses LocalGPO to create the GPOPack with the custom settings, it works fine....

    Wednesday, May 02, 2012 1:11 PM
  • Glad you have things working now.

    Kurt Dillard http://www.kurtdillard.com

    Wednesday, May 02, 2012 3:28 PM
  • I am having a similar issue with the localGPO specifically with the user Local Policies -> User Rights Assignment->Log on as a service and "Log on as a batch job" as an example. I use gpedit.msc to edit the policy localGPO to export. The export step is missing the "Log on as a batch job" and therefore the import does not show the change. Does you know why the export is not picking up the change. When I look back at other exports I have done last month using the same localGPO tool I see that export used to get proper policy. Please help?
    Friday, May 17, 2013 1:19 PM