none
LGPO.exe - Local Policies only apply when performing gpupdate /force

    Question

  • Hi,

    We have a couple of workgroup servers, where we also want to have some of our domain GPOs applied.
    I came into the tool LGPO.exe , which replaces the obsolete localgpo.swf which comes with Microsoft Security Compliance Manager (SCM). This tool is used to manage the local policies on the system.

    I exported our policies from our domain and I am successfully importing the settings on the workgroup server, via LGPO.exe.

    However, I do have 1 doubt, as the LGPO only imports policies and do not do anything with preferences. We have some settings that we add in the "system-wide User Configuration" via registry commands and the option /t .
    This adapts some registry entries regarding some color schemes for the user.. These colors are applied correctly & immediately for the user that executes the command (in this case I executed it with local administrator).

    Because it is added in the "system-wide User Configuration" it also should apply for new users that logs on to the server. But while testing this, the settings are not applied for that user, also not when performing gpupdate and also not after a reboot of the system.
    If we perform a gpupdate /force with the newly created user, the correct settings are applied immediately.. This means the settings are also correctly applied in the "system-wide User Configuration"..

    My question now is, why is it necessary that we need to run gpupdate /force and that it is not applied automaticaly on the new user?

    Can someone explain the process about (local) policies for local users on workgroup servers?

    Thx!
    Robby

    Wednesday, November 30, 2016 10:56 AM

Answers

  • Hi,
     
    Am 30.11.2016 um 11:56 schrieb Ss0oNnNnYy:
    > However, I do have 1 doubt, as the LGPO only imports policies and do
    > not do anything with preferences.
     
    LGP can only handle AdmTemplates (registry.pol content), Security
    (gpttmpl.inf content) and Advanced Audit (audit.csv)
     
    > My question now is, why is it necessary that we need to run *gpupdate
    > /force* and that it is not applied automaticaly on the new user?
     
    LGPO does not raise the counter of the existing LGPO. By default, the GP
    needs only to be re-applied, if changed.
     
    gpupdate /force ignoreds the version of the GPO and applies it again,
    even if it is already there.
     
    Ig you only replace filecontent, without raising the Version of the GPO,
    the GPProcess does not know, that it is changed. It checks the version,
    not the filedates
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by Ss0oNnNnYy Thursday, December 1, 2016 8:56 AM
    Wednesday, November 30, 2016 11:30 AM
  • > And what about the increase of the vesion number? How can I do that manually?
     
    User version +1 -> Add 65536
    Thenrewrite gpt.ini...
     
    • Marked as answer by Ss0oNnNnYy Thursday, December 1, 2016 8:56 AM
    Wednesday, November 30, 2016 1:10 PM

All replies

  • Hi,
     
    Am 30.11.2016 um 11:56 schrieb Ss0oNnNnYy:
    > However, I do have 1 doubt, as the LGPO only imports policies and do
    > not do anything with preferences.
     
    LGP can only handle AdmTemplates (registry.pol content), Security
    (gpttmpl.inf content) and Advanced Audit (audit.csv)
     
    > My question now is, why is it necessary that we need to run *gpupdate
    > /force* and that it is not applied automaticaly on the new user?
     
    LGPO does not raise the counter of the existing LGPO. By default, the GP
    needs only to be re-applied, if changed.
     
    gpupdate /force ignoreds the version of the GPO and applies it again,
    even if it is already there.
     
    Ig you only replace filecontent, without raising the Version of the GPO,
    the GPProcess does not know, that it is changed. It checks the version,
    not the filedates
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by Ss0oNnNnYy Thursday, December 1, 2016 8:56 AM
    Wednesday, November 30, 2016 11:30 AM
  • Mark,

    Thx for the reply. I also already was looking in the direction of the version..

    I tested it by removing the Group Policy - history - 0 key in HKLM\SOFTWARE\Microsoft\CurrentVersion\Group Policy\History\ but that did not help.

    Can you tell me how to increase the version number?

    In my gpt.ini file, I see only a version at the gPCMachineExtensionNames but no on the gPCUserExtensionNames, is this normal?

    Thx!
    Robby

    Wednesday, November 30, 2016 12:09 PM
  • Hi,
     
    Am 30.11.2016 um 13:09 schrieb Ss0oNnNnYy:
    > In my gpt.ini file, I see only a version at the
    > gPCMachineExtensionNames but no on the gPCUserExtensionNames, is this
    > normal?
     
    Yes. The GPO has only one version attribute. it has 8 digits, the first
    4 count the user version, the last the computer
     
    00020004 = User Version 2, Computer Version 4
    - decimal = 131076
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Wednesday, November 30, 2016 12:16 PM
  • Mark,

    This is the content of our gpt.ini for that server:
    [General]
    gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{DF3DC19F-F72C-4030-940E-4C2A65A6B612}]
    Version=917518
    gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{DF3DC19F-F72C-4030-940E-4C2A65A6B612}]

    Can you explain in details?

    And can you please provide a procedure how to update the version number?

    Robby

    Wednesday, November 30, 2016 12:36 PM
  • > /Version=917518/
     
    Subtract 65536 - it is a bitmask, low 16 bits computer version, high 16
    bits user version.
     
    Wednesday, November 30, 2016 12:39 PM
  • Thx!

    And what about the increase of the vesion number? How can I do that manually?

    Robby

    Wednesday, November 30, 2016 12:44 PM
  • > And what about the increase of the vesion number? How can I do that manually?
     
    User version +1 -> Add 65536
    Thenrewrite gpt.ini...
     
    • Marked as answer by Ss0oNnNnYy Thursday, December 1, 2016 8:56 AM
    Wednesday, November 30, 2016 1:10 PM
  • Thx both for the replies.

    I succeeded to increase the version number and indeed it works for existing local users. Now it applies when the user logs in.

    I now have one more issue: if I create a new local user I have the same issue and the colors are not applied.
    Because for him it never has increased. If I increase it again manually, again correct settings are applied.

    I can create a logon event to increase the version number everytime a user logs in but that is not a clean solution..

    Please advise what to do with new users..

    Thx!
    Robby

    Wednesday, November 30, 2016 1:35 PM
  • > Please advise what to do with new users..
     
    For new users it should apply regardless of version numbers... After initial logon with a new user, run "gpresult /h report.html" and check if "Local Policy" is applied or not, and what the reason is if not.
     
    Wednesday, November 30, 2016 1:43 PM
  • In the gpresult report, I could see that the settings are applied for the new user

    But even then, I need to perform the gpupdate /force . Otherwise it will not change the colors / Apply it in the registry of the current (new) user..

    Any thoughts?

    Thursday, December 1, 2016 8:56 AM
  • > Otherwise it will not change the colors / Apply it in the registry of the current (new) user..
     
    Maybe effective on second logon?
     
    Thursday, December 1, 2016 9:16 AM
  • > Otherwise it will not change the colors / Apply it in the registry of the current (new) user..
     
    Maybe effective on second logon?
     

    nope :(
    Thursday, December 1, 2016 9:24 AM
  • > nope :(
     
    Then my forum support is out of thoughts :()
     
    Thursday, December 1, 2016 12:24 PM
  • Am 01.12.2016 um 10:24 schrieb Ss0oNnNnYy:
    > nope :(
     
    How did you raise the Version? Can you show a sample?
     
    Version=917518 (decimal) -> HEX = 000E000E
    which means Userversion = 14 dez, hex=E) and computer version = 14
     
    To raise it to 15: Userpart "E" + 1 = F (HEX) = 000F000E
    = Version=983054
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Thursday, December 1, 2016 1:11 PM
  • Hi Mark,

    This is what I have put in my script:

    # Update the gpt.ini file
    $gptContents = Get-Content $env:systemroot\system32\GroupPolicy\gpt.ini
    $gptContents |
    ForEach-Object {
        [regex]::Replace($_, '(?<=Version\s*=\s*)\d+', { [int]$args[0].Value + 65536 }) # [int]$args[0].Value + 65536 will increase the LGPO user version by 1 (hex)
    } |
    Set-Content $env:systemroot\system32\GroupPolicy\gpt.ini

    Monday, December 5, 2016 10:52 AM