Asked by:
Can't Export GPO using LocalGPO

Question
-
I am attempting to set a security baseline for a Windows 7 machine operating in a workgroup. We are DOD so are required to utilize the DISA STIGs in order to obtain certification of the systems. We installed Win7 SP1 and then went through all of the required settings in the local GPOs as listed by the STIG. However, we are now unable to capture the configuration of the machine. Using LocalGPO, we execute "localgpo.wsf /gpopack:c:\gpobackup\testgpo" but nothing happens. Are we missing something here?Thursday, August 4, 2011 4:18 PM
All replies
-
Your command line has a few errors. You need to specify what action to take and what path to use, so your command should look like this:
"cscript localgpo.wsf /Path:c:\gpobackup\testgpo /Export /GPOPack"
Take a look at Jeff's blog entry for more details on using the local GPO tool: http://blogs.technet.com/b/secguide/archive/2011/07/05/scm-v2-beta-localgpo-rocks.aspx
Kurt Dillard http://www.kurtdillard.comThursday, August 4, 2011 6:27 PM -
That works much better - thanks. We need to be careful with statements such as "The command-line parameters are pretty self-explanatory..." as contained here http://blogs.technet.com/b/secguide/archive/2011/06/27/scm-v2-beta-new-baselines-available-to-download.aspx
We ran into another issue where the import of the GPOPack returned:
"Import GPO had with the following errors. This can result from improper manual modification of GPO backup files. Always make changes to GPOs using GPMC, and regenerate the GPO backup if necessary.
The following are incorrect CSV Settings
Setting Name is ,,Option:CrashOnAuditFail,,Disabled,,0Setting Name is ,,Option:FullPrivilegeAuditing,,Disabled,,0
Setting Name is ,,Option:AuditBaseObjects,,Disabled,,0
Setting Name is ,,Option:AuditBaseDirectories,,Disabled,,0
Setting Name is ,,FileGlobalSacl,,,,
Setting Name is ,,RegistryGlobalSacl,,,,"
Suggestions?
Monday, August 8, 2011 6:08 PM -
I'm not sure what's going on, those are not CSV settings, those are registry settings stored in the GPO's INF file. Can you email the GPOpack to us at the secwish at microsoft dot com address?
Kurt Dillard http://www.kurtdillard.comMonday, August 8, 2011 6:32 PM -
Nevermind, I forgot that there are a handful of settings related to auditing get written to both the CSV file and the INF file. There's a bug in SCM, it should not report an error message when it encounters those settings in the CSV file. The bug doesn't actually impact the import of the GPO into SCM, but it is confusing, I believe its already been fixed in our internal builds but you won't see the fix until we publish the final version of SCM 2.0.
Kurt Dillard http://www.kurtdillard.com- Proposed as answer by Kurt Dillard Tuesday, August 16, 2011 4:37 PM
Tuesday, August 16, 2011 4:37 PM