none
Changing Local GPO via Group Policy / Local Users on Domain Computers

    Question

  • Hey there,

    I've been trying to solve this problem for a couple days now, but I'm so desperate now, that I'm going to ask you guys for help.

    This is my setting:

    We have a domain with about 1000 computers in it. All computers are members of the domain, but the users are using local accounts on every computer to sign in.

    My task:

    Sounds simple: Lock the desktop of every computer after 15min of inactivity.

    I've successfully achieved that by changing the local GPO at User Configuration --> Administrative Templates --> Control Panel --> Personalization

    Force Specific Screen Saver = "rundll32 user32.dll,LockWorkStation"
    Screen Saver Timeout = "900"
    Enable Screen Saver = "1"
    Password Protect The Screen Saver = "1"

    My problem

    I need to deploy this settings to all computers, but the settings are not being done, because it's a User Policy. I also tried to log the registry changes and created a startup script, which adds the 4 registry changes when the user logs on. But that didn't work either.

    Do you have any idea, how to solve this?

    Thank you very much in advance!


    • Edited by Li Oswald Friday, May 13, 2016 11:58 AM typo
    Friday, May 13, 2016 11:56 AM

Answers

  • I browsed the web for a solution and only found solutions for cases in which you know the exact computer- and username. In my case I don't know them while deploying the GPO.

    But I managed to get a solution for my problem. I'm going to try to explain my steps, maybe some other day people will encounter the same issues.

    ------------------
    Issue
    Deploy the setting "Lock the workstation after 15min of idling" via GPO to domain-computers that use non-domain-user-logon.

    But this workaround should work for every change & deployment of the local group policy. You will need a tool to execute a program as a administrator without providing credentials. That is important, because you have to import the LocalGPO Package in the local users context (which has mostly no administrative rights). I used "runasspc" because it stores your administrator password in a crypt file. But there are plenty of other programs that will do the trick.

    ------------------
    Solution
    1.) Downloaded and started the setup of Security Compliance Manager. While setup is running, browse to C:\08c8c4c3d7d0326942 (or something like that) and open data.cab with WinRAR or similar. Extract file "GPOMSI" to a place on your computer and rename it to LocalGPO.msi

    2.) Install LocalGPO.msi on a client.

    3.) On that client run gpedit.msc as an administrator and do your settings you want to deploy later. In my case it was

    User Configuration --> Administrative Templates --> Control Panel --> Personalization

    Force Specific Screen Saver = "rundll32 user32.dll,LockWorkStation"
    Screen Saver Timeout = "900"
    Enable Screen Saver = "1"
    Password Protect The Screen Saver = "1"

    Close the gpedit window.

    4.) Open LocalGPO shortcut via start menu with administrative rights. Or open a CMD as an administrator and browse to C:\Program Files (x86)\LocalGPO

    5.) Run the following command to export your changed local policy to a portable package

    cscript LocalGPO.wsf /Path:C:\GPObackup /Export /GPOPack

    Note: The folder c:\GPObackup has to be created in advance.

    You can now close the LocalGPO CMD.

    6.) Browse to c:\GPObackup and you will find a folder with the policy ID. In my case it was called "{47EAEB22-50B0-46EC-98C0-5D47752D8483}". You need to place this folder somewhere everybody can access it (to deploy it via GPO). In my case I didn't have any fileserver or something like that, so I put it in the domains SYSVOL.

    7.) Create a cmd file "GPOPack.cmd" with the following content

    GPOPack.wsf /silent
    Thats neccessary, because you can't provide a .wsf file directly in the scheduled task in step 9.

    8.) I used "RunAsSpc" to create a runasspc.exe and a cryptfile "crypt.spc" which runs the "GPOPack.cmd" with administrative rights without using the UAC. Of course you can use other tools that run programs as an administrator.

    9.) Then I created a GPO that applies to "Everyone" and has the following two settings:

    Computer Configuration --> Policies --> Windows Settings --> Scripts --> Startup

    I made a tiny script, that copies the exported local GPO folder to the clients.

    md "C:\temp\GPO\{47EAEB22-50B0-46EC-98C0-5D47752D8483}"
    xcopy "\\domain.name\sysvol\LocalGPO\{47EAEB22-50B0-46EC-98C0-5D47752D8483}" "C:\temp\GPO\{47EAEB22-50B0-46EC-98C0-5D47752D8483}" /Y /E /I
    and

    Computer Configuration --> Preferences --> Control Panel Settings --> Scheduled Tasks --> New scheduled task (at least Windows 7)

    General
    Action: Update
    Name: Import LocalGPO Pack
    When running this task, use the following user account: Users
    Run with highest privileges
    Configure for: Windows 7
    
    
    Triggers
    Daily at 12:00 o clock
    Repeat every day
    
    
    Actions
    Start a program: C:\temp\GPO\{47EAEB22-50B0-46EC-98C0-5D47752D8483}\runasspc.exe
    
    Add arguments: /cryptfile:"C:\temp\GPO\{47EAEB22-50B0-46EC-98C0-5D47752D8483}\crypt.spc" /quiet
    
    Settings
    Run task as soon as possible after a scheduled task is missed

    Notes: If you use another tool that RunAsSpc you may have different arguments and program names here. The scheduled task will run daily at 12 o clock. You should chose a time, when every client should be turned on and a user is logged in. If neccessary you could make the task run every hour to make sure you will reach all clients. You need to chose the group "Users" to run the task, because every local user should be member of this group, so the task will be executed for all local non domain users.

    10.) Make sure you copied the files "runasspc.exe" "crypt.spc" and "GPOPack.cmd" to

    \\domain.name\sysvol\LocalGPO\{47EAEB22-50B0-46EC-98C0-5D47752D8483}

    as well.

    That's it. I know its very complex and a lot of steps and workarounds have been done, but this was the only solution I could find out after a long time of research and endless frustrating tries.

    So the GPO should be deployed to all clients on the next reboot at the latest. Then it will copy the files to the local machine and create the task. Maybe another reboot is neccessary. But then the task will run at the estimated time and import the exported LocalGPO silently. You can check this by using gpedit.msc on a different client.

    I hope this helps somebody.
    Best regards,

    Li

    • Marked as answer by Li Oswald Thursday, May 19, 2016 11:01 AM
    Thursday, May 19, 2016 11:00 AM

All replies

  • > Do you have any idea, how to solve this?
     
    Security Compliance Manager localGPO
     
    Friday, May 13, 2016 12:29 PM
  • Hi,
    I agree with Martin that you could have a try SCM.
    “SCM enables organizations to centrally plan, view, update, and export thousands of Group Policy settings for Microsoft client and server operating systems and applications.   It makes it easier for organizations to plan, implement, and monitor security compliance baselines in their Active Directory infrastructure.  With SCM, IT Professionals can obtain baseline policies based on security best practices, customize them to the particular needs of their organization and export them to a number of formats for use in different scenarios. ”
    You could get more details about SCM from:
    Microsoft’s Free Security Tools – Microsoft Security Compliance Manager Tool (SCM)
    https://blogs.microsoft.com/cybertrust/2013/01/15/microsofts-free-security-tools-microsoft-security-compliance-manager-tool-scm/
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 16, 2016 5:43 AM
    Moderator
  • Hey there,

    thank you for your tips. I did some more research and found these two sites, which helped me further:

    http://woshub.com/backupimport-local-group-policy-settings/

    http://bscexp.blogspot.de/2012/09/backup-and-restore-local-gpo.html

    So I installed LocalGPO.msi, did my settings and exported the Local GPO to a GPOPack.wsf.

    When I copy the entire folder to another computer and run "GPOPack.wsf" as an administrator it successfully imports the settings.

    Last problem left is now to deploy this LocalGPO via GPO to every computer and execute the GPOPack.wsf. I put the Policy onto a network share and created a startup script whichs runs the GPOPack.wsf silent.

    \\networkshare\LocalGPO\{47EAEB22-50B0-46EC-98C0-5D47752D8483}\GPOPack.wsf /silent
    >"C:\LocalGPO.txt" echo LockDesktop

    The second line is just to make sure, the script was executed.

    Problem:

    The startup script (Computer Configuration --> Policies --> Windows Settings --> Startup) is being executed, but apparently there are not settings made, so I assume the import of the .wsf file has an error.

    As a logon script (User Configuration --> Policies --> Windows Settings --> Logon) the script is not even executed (because no domain users is logging on to computer).

    How can I get that deployment done?

    Thank you very much!

    Tuesday, May 17, 2016 1:13 PM
  • I browsed the web for a solution and only found solutions for cases in which you know the exact computer- and username. In my case I don't know them while deploying the GPO.

    But I managed to get a solution for my problem. I'm going to try to explain my steps, maybe some other day people will encounter the same issues.

    ------------------
    Issue
    Deploy the setting "Lock the workstation after 15min of idling" via GPO to domain-computers that use non-domain-user-logon.

    But this workaround should work for every change & deployment of the local group policy. You will need a tool to execute a program as a administrator without providing credentials. That is important, because you have to import the LocalGPO Package in the local users context (which has mostly no administrative rights). I used "runasspc" because it stores your administrator password in a crypt file. But there are plenty of other programs that will do the trick.

    ------------------
    Solution
    1.) Downloaded and started the setup of Security Compliance Manager. While setup is running, browse to C:\08c8c4c3d7d0326942 (or something like that) and open data.cab with WinRAR or similar. Extract file "GPOMSI" to a place on your computer and rename it to LocalGPO.msi

    2.) Install LocalGPO.msi on a client.

    3.) On that client run gpedit.msc as an administrator and do your settings you want to deploy later. In my case it was

    User Configuration --> Administrative Templates --> Control Panel --> Personalization

    Force Specific Screen Saver = "rundll32 user32.dll,LockWorkStation"
    Screen Saver Timeout = "900"
    Enable Screen Saver = "1"
    Password Protect The Screen Saver = "1"

    Close the gpedit window.

    4.) Open LocalGPO shortcut via start menu with administrative rights. Or open a CMD as an administrator and browse to C:\Program Files (x86)\LocalGPO

    5.) Run the following command to export your changed local policy to a portable package

    cscript LocalGPO.wsf /Path:C:\GPObackup /Export /GPOPack

    Note: The folder c:\GPObackup has to be created in advance.

    You can now close the LocalGPO CMD.

    6.) Browse to c:\GPObackup and you will find a folder with the policy ID. In my case it was called "{47EAEB22-50B0-46EC-98C0-5D47752D8483}". You need to place this folder somewhere everybody can access it (to deploy it via GPO). In my case I didn't have any fileserver or something like that, so I put it in the domains SYSVOL.

    7.) Create a cmd file "GPOPack.cmd" with the following content

    GPOPack.wsf /silent
    Thats neccessary, because you can't provide a .wsf file directly in the scheduled task in step 9.

    8.) I used "RunAsSpc" to create a runasspc.exe and a cryptfile "crypt.spc" which runs the "GPOPack.cmd" with administrative rights without using the UAC. Of course you can use other tools that run programs as an administrator.

    9.) Then I created a GPO that applies to "Everyone" and has the following two settings:

    Computer Configuration --> Policies --> Windows Settings --> Scripts --> Startup

    I made a tiny script, that copies the exported local GPO folder to the clients.

    md "C:\temp\GPO\{47EAEB22-50B0-46EC-98C0-5D47752D8483}"
    xcopy "\\domain.name\sysvol\LocalGPO\{47EAEB22-50B0-46EC-98C0-5D47752D8483}" "C:\temp\GPO\{47EAEB22-50B0-46EC-98C0-5D47752D8483}" /Y /E /I
    and

    Computer Configuration --> Preferences --> Control Panel Settings --> Scheduled Tasks --> New scheduled task (at least Windows 7)

    General
    Action: Update
    Name: Import LocalGPO Pack
    When running this task, use the following user account: Users
    Run with highest privileges
    Configure for: Windows 7
    
    
    Triggers
    Daily at 12:00 o clock
    Repeat every day
    
    
    Actions
    Start a program: C:\temp\GPO\{47EAEB22-50B0-46EC-98C0-5D47752D8483}\runasspc.exe
    
    Add arguments: /cryptfile:"C:\temp\GPO\{47EAEB22-50B0-46EC-98C0-5D47752D8483}\crypt.spc" /quiet
    
    Settings
    Run task as soon as possible after a scheduled task is missed

    Notes: If you use another tool that RunAsSpc you may have different arguments and program names here. The scheduled task will run daily at 12 o clock. You should chose a time, when every client should be turned on and a user is logged in. If neccessary you could make the task run every hour to make sure you will reach all clients. You need to chose the group "Users" to run the task, because every local user should be member of this group, so the task will be executed for all local non domain users.

    10.) Make sure you copied the files "runasspc.exe" "crypt.spc" and "GPOPack.cmd" to

    \\domain.name\sysvol\LocalGPO\{47EAEB22-50B0-46EC-98C0-5D47752D8483}

    as well.

    That's it. I know its very complex and a lot of steps and workarounds have been done, but this was the only solution I could find out after a long time of research and endless frustrating tries.

    So the GPO should be deployed to all clients on the next reboot at the latest. Then it will copy the files to the local machine and create the task. Maybe another reboot is neccessary. But then the task will run at the estimated time and import the exported LocalGPO silently. You can check this by using gpedit.msc on a different client.

    I hope this helps somebody.
    Best regards,

    Li

    • Marked as answer by Li Oswald Thursday, May 19, 2016 11:01 AM
    Thursday, May 19, 2016 11:00 AM