> I think i've found a way to manage (M)(L)GPO with WPKG, without AD (of > course). > Simply, MS have releasead a tool that can export LGPO and then you can > import back. > I'm still working on the recipe, but you can look at: > http://www.grouppolicy.biz/tag/export/ > http://bscexp.blogspot.it/2012/09/backup-and-restore-local-gpo.html > the rest is a matter of some scripting. Ok, test done; still seems there's some work to done, but at least start to work. Before to start: LocalGPO works, but using to manage the LocalGPO not, simply because many software now use the LGPO 'Computer' policy to set some system aspect, and if you restore a LGPO, you erase them. Ok, via a WPKG script coud be feasable to save the local policy of every computer and, eventually, restore them, but this a bit overkill. Expecially considering the fact that you can set policy via registry keys. Googling around you can find some registry patches, but really i missed a ''reference''. Finally i've found on: http://www.microsoft.com/en-us/download/details.aspx?id=25250 in these excel sheets you can find, for every policy options, the relevand registry keys. Cool. Ok, but how setup ''user'' policy? You cannot do it via registry keys (they are in the user hive, but not user writeable), so netlogon script does not apply. You can set LGPO, but the settings will apply to all users (Administrators too), and because LocalGPO cannot restore selectively computer/user settings, you belong to the previous trouble. But from Vista, there's also the MLGPO (Multiple LGPO, http://technet.microsoft.com/en-us/library/cc766291%28v=ws.10%29.aspx ), so you can simply set the user LGPO in a test machine, export them with LocalGPO, and import back as MLGPO for 'Non Administrators'. Considering that with LocalGPO you can create a ''self-executing'' scpript, the final recipe look like: <package id="7tweaks-lgpo" name="Seven Registry tweaks: Manage Local Group Policy Object" revision="20130118:1" reboot="false" priority="5"> <check type="logical" condition="and" > <check type="file" condition="exists" path="%WinDir%\system32\GroupPolicyUsers\S-1-5-32-545\localgpo.sem" /> <check type="file" condition="datemodifyolderthan" path="%WinDir%\system32\GroupPolicyUsers\S-1-5-32-545\gpt.ini" value="@%WinDir%\system32\GroupPolicyUsers\S-1-5-32-545\localgpo.sem" /> </check> <install cmd='%WPKGROOT%\tools\unzip -oqq "%WPKGROOT%\packages\lgpo-%LOCALNET%.zip" -d %TEMP%' /> <install cmd='%COMSPEC% /c start "" /d"%TEMP%\LGPO" /wait cscript "%TEMP%\LGPO\GPOPack.wsf" /MLGPO:Users /Silent' /> <!-- with /force take loooooongeeeer... --> <install cmd='gpupdate' /> <install cmd='%COMSPEC% /c echo . > %WinDir%\system32\GroupPolicyUsers\S-1-5-32-545\localgpo.sem' /> <upgrade include='install' /> <downgrade include='upgrade' /> <!-- reset to default --> <remove cmd='%COMSPEC% /c del /q /s /f "%WinDir%\System32\GroupPolicyUsers\S-1-5-32-545"' /> <remove cmd='gpupdate' /> </package> So, finally: 1) It is not so safe to import the 'Computer' LGPO, but you can setup machine policy via registry patch, very handy in WPKG. 2) It is not so smart to import the 'User' LGPO, because apply to all users and it is not manageable without the 'Computer' one; but you can export it and reimport as MLGPO for 'non administrators'. Hope it help. And, of course, give me some feedback! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) |