Can't Export GPO using LocalGPO RRS feed

  • Question

  • I am attempting to set a security baseline for a Windows 7 machine operating in a workgroup. We are DOD so are required to utilize the DISA STIGs in order to obtain certification of the systems. We installed Win7 SP1 and then went through all of the required settings in the local GPOs as listed by the STIG. However, we are now unable to capture the configuration of the machine. Using LocalGPO, we execute "localgpo.wsf /gpopack:c:\gpobackup\testgpo" but nothing happens. Are we missing something here?
    Thursday, August 4, 2011 4:18 PM

All replies

  • Your command line has a few errors. You need to specify what action to take and what path to use, so your command should look like this:

    "cscript localgpo.wsf /Path:c:\gpobackup\testgpo /Export /GPOPack"


    Take a look at Jeff's blog entry for more details on using the local GPO tool: http://blogs.technet.com/b/secguide/archive/2011/07/05/scm-v2-beta-localgpo-rocks.aspx

    Kurt Dillard http://www.kurtdillard.com
    Thursday, August 4, 2011 6:27 PM
  • That works much better - thanks. We need to be careful with statements such as "The command-line parameters are pretty self-explanatory..." as contained here http://blogs.technet.com/b/secguide/archive/2011/06/27/scm-v2-beta-new-baselines-available-to-download.aspx

    We ran into another issue where the import of the GPOPack returned:

    "Import GPO had with the following errors. This can result from improper manual modification of GPO backup files. Always make changes to GPOs using GPMC, and regenerate the GPO backup if necessary.
    The following are incorrect CSV Settings
    Setting Name is ,,Option:CrashOnAuditFail,,Disabled,,0

    Setting Name is ,,Option:FullPrivilegeAuditing,,Disabled,,0

    Setting Name is ,,Option:AuditBaseObjects,,Disabled,,0

    Setting Name is ,,Option:AuditBaseDirectories,,Disabled,,0

    Setting Name is ,,FileGlobalSacl,,,,

    Setting Name is ,,RegistryGlobalSacl,,,,"


    Monday, August 8, 2011 6:08 PM
  • I'm not sure what's going on, those are not CSV settings, those are registry settings stored in the GPO's INF file. Can you email the GPOpack to us at the secwish at microsoft dot com address?
    Kurt Dillard http://www.kurtdillard.com
    Monday, August 8, 2011 6:32 PM
  • Nevermind, I forgot that there are a handful of settings related to auditing get written to both the CSV file and the INF file. There's a bug in SCM, it should not report an error message when it encounters those settings in the CSV file. The bug doesn't actually impact the import of the GPO into SCM, but it is confusing, I believe its already been fixed in our internal builds but you won't see the fix until we publish the final version of SCM 2.0.
    Kurt Dillard http://www.kurtdillard.com
    • Proposed as answer by Kurt Dillard Tuesday, August 16, 2011 4:37 PM
    Tuesday, August 16, 2011 4:37 PM