none
Security Compliance Manager and Local GPO Tool not exporting all settings RRS feed

  • Question

  • I'm trying to get my first baseline configured for several non-networked Windows 7 machines.  Everything worked well regarding the export and import, until I went to double check all the settings.  Three settings never make there way to the new computers:

    Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow Logon through Remote Desktop Services (requires no entries, but either never gets set or the setting gets overwritten by default values). [This one finally changed when creating a new baseline, but the other two are still stuck with the original values.  I still haven't done anything different.]

    Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Bypass traverse checking (keeps default settings or is overwritten by default settings)

    Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Impersonate a client after authentication (keeps default settings or is overwritten by default settings)

    Is anyone else having the same problem.  I've tried to export the settings both through SCM and the LocalGPO command line.  Thinking it must be something I've done, I've also created multiple baselines (deleting the broken ones) and run into the same issue.

    UPDATE: Just deleted the stuck settings, added them back in and then changed the customized settings.  Still didn't work

    Any suggestions?

    SCM Version 3.0.060.0

    Setting Library Version 2.0.82001

    Settings being installed on Windows 7 Enterprise SP1



    • Edited by jaypd2 Friday, March 7, 2014 8:18 PM Update
    Monday, February 24, 2014 6:18 PM

Answers

  • Since it looks like this thread has recent activity and I am starting to examine SCM 3.0 for viability as a solution for some non-domain-joined devices I figured I would share this thread I found elsewhere that has some good details about the discrepancies in the comparisons. Looks like it is partially an issue of the backups being efficient (not backing up undefined/unconfigured settings) and partially a bug in the code:

    http://social.technet.microsoft.com/Forums/en-US/720f6515-47fc-4805-8ccb-dc144cb72078/gpo-backups-import-merge-export-problems?forum=compliancemanagement

    Hope that helps to clarify a bit, but sadly, it doesn't look like we have a fix on the horizon any time soon.

    • Marked as answer by jaypd2 Monday, October 13, 2014 4:21 PM
    Thursday, September 11, 2014 3:12 PM

All replies

  • Hi there,

    I'm having the exact same problem.  Even exporting one of the baseline policies and re-importing it again (without any LOCALGPO bits yet) and it strips the settings from 238 down to 178!!!

    Did you ever get this sorted?  I had this working on another server but had to install on a separate one and these issues are happening.

    Regards,

    Martin

    Wednesday, July 16, 2014 4:17 PM
  • No, I wrote down the three setting that never changed and I manipulate them manually.  Don't think that is really a solution in your case (60 manual changes defeats the purpose of the tool doing the work for you). 

    On the lighter side, misery loves company. Anyone else experiencing this?

    Friday, September 5, 2014 4:39 PM
  • Since it looks like this thread has recent activity and I am starting to examine SCM 3.0 for viability as a solution for some non-domain-joined devices I figured I would share this thread I found elsewhere that has some good details about the discrepancies in the comparisons. Looks like it is partially an issue of the backups being efficient (not backing up undefined/unconfigured settings) and partially a bug in the code:

    http://social.technet.microsoft.com/Forums/en-US/720f6515-47fc-4805-8ccb-dc144cb72078/gpo-backups-import-merge-export-problems?forum=compliancemanagement

    Hope that helps to clarify a bit, but sadly, it doesn't look like we have a fix on the horizon any time soon.

    • Marked as answer by jaypd2 Monday, October 13, 2014 4:21 PM
    Thursday, September 11, 2014 3:12 PM
  • Thanks for the link Dave.  It explains why we are seeing it.  Unfortunately, I was hoping for better news since the issue is going on two years old (since Microsoft was aware of it).  Guess I'll keep holding my breath.
    Monday, October 13, 2014 4:20 PM
  • Using SCM 4.0 and the LGPO tool only to find out how useless these tools are for the same reasons described earlier. I exported a local GP from Windows 10 (1607) using LGPO.exe and imported the backup into SCM 4.0. Several issues found:

    In gpedit.msc I edited the local GP:

    Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties > Domain Profile > Firewall State : OFF

    This setting was nowhere to be found when I did a /parse command with LGPO and so it did not show up after the import to SCM.

    The most serious offender was a contradicting setting I found. I had

    Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow users to connect remotely using Remote Desktop Services: Enabled

    The LGPO /parse command showed the registry output to be: Software\Policies\Microsoft\Windows NT\Terminal Services: fDenyTSConnections DWORD:0 (meaning the LGPO /parse of the backup agrees with what I set in gpedit.msc 

    However, in SCM, after the import, the same setting Allow users to connect remotely using Remote Desktop Services was showing "Disabled" in direct contradiction to what I had set in gpedit.msc.

    There were several other examples of discrepancies where settings were in the backup (as verified by the /parse command) but when examining the import in SCM, they did not exist. Many other settings imported correctly in SCM, but with such inconsistencies it is hard to trust these tools for anything. I rather do everything manually.

    I honestly spent a lot of time learning how to use LGPO and SCM only to find they are useless.



    Thursday, March 16, 2017 5:40 PM