locked
How to use Security Compliance manager GPO's. RRS feed

  • Question

  • First off I'll state that the only thing I need SCM for is because I'm trying to meet some auditing compliance rules that used to be available with the GPO accelerator which isn't available any longer. Specifically all the MSS: () rules under:
    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

    I have SCM installed on my workstation, downloaded all the baselines and have tried both the cab file export and the gpo backup.  My goal, or let's say requirement is that I can import the GP object into my GPO's already in existence.  I've gone through this application for a couple days now trying various things including reading the help (not helpful).

    Can some explain the whole process to me to accomplish getting gpo's into my domain group policy?  Specifically the MSS () rules if possible.

    Tuesday, September 13, 2011 9:34 PM

All replies

  • The GPOAccelerator was replaced last year by the Local Policy Tool (LPT), you can use LPT to update the user interface for the GPO management tools so that the MSS settings are visible. The installer for LPT is bundled with SCM, after installing SCM you should see it in your Start menu under "Microsoft Security Compliance Manager\LocalGPO," or you should be able to find it in Windows Explorer at "C:\Program Files\Microsoft Security Compliance Manager\LGPO." That part of LPT is almost identical to what was in the GPOAccelerator, you can find instructions for installing and using LPT in the SCM help content.
    Kurt Dillard http://www.kurtdillard.com
    • Proposed as answer by Kurt Dillard Thursday, September 15, 2011 4:38 PM
    Thursday, September 15, 2011 4:38 PM
  • Ok, I see, so do I simply copy the LocalGPO.msi file to the Domain Controllers where I'm controlling Group policy and install it?  Or do I have to push this MSI out to all workstations?
    Thursday, September 15, 2011 4:47 PM
  • That's a seperate question, I overlooked it in my first reply. Use LocalGPO to update the user interface, but for deploying the GPOs I think you should use Active Directory-based group policy. You can use the Group Policy Management Console on the DC to import GPO backups from SCM into AD, I recommend that you create new, empty GPOs in AD and import the GPO backups into those, rather than overwriting your existing GPOs. Why? Because you won't be able to undo changes to the existing GPOs if you import into them.

    Another important point, you need to carefully test changes introduced by settings from our baselines before pushing the GPOs into production, some of the settings in our GPOs may cause problems with some of your business applications, so its critical that you test and if necessary adjust values for troublesome settings.


    Kurt Dillard http://www.kurtdillard.com
    Thursday, September 15, 2011 5:04 PM
  • Ok that is what I thought.  I have been attempting to do that (import GPO's from SCM into new GPO's in AD).  The MSS rules still don't show up in the imported GPO's and I don't understand why.  I can see them in SCM when I export.
    Thursday, September 15, 2011 5:18 PM
  • That's because you haven't updated the GP tools user interface with LocalGPO (aka LPT), as I described in my first reply. I strongly encourage you to review the SCM help content, its also important that you read the security guide attached to the baselines in SCM, for example, the Windows Server 2008 R2 includes a section entitled "Introducing the Local Policy Tool" that explains what it does and how to use it in detail.
    Kurt Dillard http://www.kurtdillard.com
    • Proposed as answer by Kurt Dillard Thursday, September 15, 2011 5:43 PM
    Thursday, September 15, 2011 5:34 PM
  • Oh, another important thing which you may not know yet: we're posting a new version of SCM today. SCM 2.0 should be available for download sometime today, within 24 hours at the latest. It also includes an updated version of the LocalGPO tool. I think you'll like SCM 2.0, it has a lot of major improvements and new features.
    Kurt Dillard http://www.kurtdillard.com
    Thursday, September 15, 2011 5:36 PM
  • Ok I think I understand, So I do need to install the LocalGPO on the system managing the gpo's.  Thanks for your help.
    Thursday, September 15, 2011 5:38 PM
  • yes, that's right. Let me know if you have more questions about SCM and the baselines.


    Kurt Dillard http://www.kurtdillard.com
    Thursday, September 15, 2011 5:43 PM
  • Good to know about the new version, I just wanted to write to confirm that installing the localgpo cmd line then doing /configsce switch made the MSS settings appear in group policy.  One more question, do I need to deploy the localgpo to each domain controller? or if I did it on the FSMO master would that be sufficient for all of them?
    Thursday, September 15, 2011 8:26 PM
  • You'll need to install and run it on every machine where you want to be able to manage the MSS settings. that's becuase of the way the settings are stored, they use the older security template technology rather than the newer and more flexible administrative templates technology. The UI data is actually stored in the system registry, not in the GPO, ADM, or ADMX files.
    Kurt Dillard http://www.kurtdillard.com
    Thursday, September 15, 2011 10:45 PM
  • Hi Kurt,

    I also have a similar requirement of MSS settings enable on Domain Controller Group policy settings. Here my question is if i want to configure this from a DC is i need to install SCM & SQL Server 2008 Express, Then i found it is not recommend to install SQL on DC also my DC is already hardened enough i am unable to install this SQL.

    Hence in this case is any alternate way i can install only the LPT without SCM & SQL Installation. Please advice.

     

    Biju.

    Consultant

    Wednesday, September 21, 2011 5:41 AM
  • Biju, you don't install SCM on the DC, install it on your workstation.  If you are wanting to put the MSS rules on a DC then the only thing you need to install on the DC is the LocalGPO.
    Wednesday, September 21, 2011 2:18 PM
  • Nigel is correct. After installing SCM open the Start menu, click All Programs, click Microsoft Security Compliance Manager, then click LocalGPO. A new Explorer window will open, copy LocalGPO.msi to the other computers in order to install the Local Group Policy Tool without having to install SCM
    Kurt Dillard http://www.kurtdillard.com
    • Proposed as answer by Kurt Dillard Wednesday, September 21, 2011 2:37 PM
    Wednesday, September 21, 2011 2:37 PM
  • Any idea when this new version will be available for download? I thought September 15 but I haven't found the new version anywhere for the moment.
    Friday, September 23, 2011 9:00 AM
  • Ernie, its available now: http://www.microsoft.com/download/en/details.aspx?id=16776
    Kurt Dillard http://www.kurtdillard.com
    • Proposed as answer by Kurt Dillard Friday, September 23, 2011 3:36 PM
    Friday, September 23, 2011 3:35 PM