[wpkg-users] Dealing with (L)GPO...

Marco Gaiarin gaio at sv.lnf.it
Thu Jan 24 17:33:49 CET 2013


> I think i've found a way to manage (M)(L)GPO with WPKG, without AD (of
> course).
> Simply, MS have releasead a tool that can export LGPO and then you can
> import back.
> I'm still working on the recipe, but you can look at:
> 	http://www.grouppolicy.biz/tag/export/
> 	http://bscexp.blogspot.it/2012/09/backup-and-restore-local-gpo.html
> the rest is a matter of some scripting.

Ok, test done; still seems there's some work to done, but at least
start to work.


Before to start: LocalGPO works, but using to manage the LocalGPO not,
simply because many software now use the LGPO 'Computer' policy to set
some system aspect, and if you restore a LGPO, you erase them.
Ok, via a WPKG script coud be feasable to save the local policy of
every computer and, eventually, restore them, but this a bit overkill.


Expecially considering the fact that you can set policy via registry
keys.
Googling around you can find some registry patches, but really i missed
a ''reference''. Finally i've found on:

	http://www.microsoft.com/en-us/download/details.aspx?id=25250

in these excel sheets you can find, for every policy options, the
relevand registry keys. Cool.


Ok, but how setup ''user'' policy? You cannot do it via registry keys
(they are in the user hive, but not user writeable), so netlogon script
does not apply.
You can set LGPO, but the settings will apply to all users
(Administrators too), and because LocalGPO cannot restore selectively
computer/user settings, you belong to the previous trouble.

But from Vista, there's also the MLGPO (Multiple LGPO,
http://technet.microsoft.com/en-us/library/cc766291%28v=ws.10%29.aspx
), so you can simply set the user LGPO in a test machine, export them
with LocalGPO, and import back as MLGPO for 'Non Administrators'.

Considering that with LocalGPO you can create a ''self-executing''
scpript, the final recipe look like:

 <package
        id="7tweaks-lgpo"
        name="Seven Registry tweaks: Manage Local Group Policy Object"
        revision="20130118:1"
        reboot="false"
        priority="5">

        <check type="logical" condition="and" >
                <check type="file" condition="exists" path="%WinDir%\system32\GroupPolicyUsers\S-1-5-32-545\localgpo.sem" />
                <check type="file" condition="datemodifyolderthan" path="%WinDir%\system32\GroupPolicyUsers\S-1-5-32-545\gpt.ini" value="@%WinDir%\system32\GroupPolicyUsers\S-1-5-32-545\localgpo.sem" />
        </check>

        <install cmd='%WPKGROOT%\tools\unzip -oqq "%WPKGROOT%\packages\lgpo-%LOCALNET%.zip" -d %TEMP%' />
        <install cmd='%COMSPEC% /c start "" /d"%TEMP%\LGPO" /wait cscript "%TEMP%\LGPO\GPOPack.wsf" /MLGPO:Users /Silent' />
        <!-- with /force take loooooongeeeer... -->
        <install cmd='gpupdate' />
        <install cmd='%COMSPEC% /c echo . > %WinDir%\system32\GroupPolicyUsers\S-1-5-32-545\localgpo.sem' />

        <upgrade include='install' />
        <downgrade include='upgrade' />

        <!-- reset to default -->
        <remove cmd='%COMSPEC% /c del /q /s /f "%WinDir%\System32\GroupPolicyUsers\S-1-5-32-545"' />
        <remove cmd='gpupdate' />
 </package>


So, finally:

1) It is not so safe to import the 'Computer' LGPO, but you can setup
 machine policy via registry patch, very handy in WPKG.

2) It is not so smart to import the 'User' LGPO, because apply to all
 users and it is not manageable without the 'Computer' one; but you can
export it and reimport as MLGPO for 'non administrators'.


Hope it help. And, of course, give me some feedback!

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                    http://www.sv.lnf.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
	   http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)



More information about the wpkg-users mailing list