Secure Standalone Windows Servers Using Security Compliance Manager
In today’s Ask the Admin, I’ll show you how to use the localGPO command line tool in Security Compliance Manager (SCM) to apply security templates to computers that are not part of an Active Directory domain.
Security Compliance Manager comes with a command line tool for applying template settings to Local Group Policy Objects, i.e. for use on devices that are not joined to an Active Directory domain. For more information on SCM, see Using the Microsoft Security Compliance Manager Tool on the Petri IT Knowledgebase.
The installer for the localGPO tool is located in the c:\program files (x86)\microsoft security compliance manager\lgpo directory, and you need to run the .msi file to install it on the computer where you want to use the tool. Note that at the time of writing, localGPO is not supported on Windows Server 2012 R2.
- Double click LocalGPO.msi.
- Click Next on the welcome screen.
- On the End-User License Agreement screen, check I accept the terms in the License Agreement and click Next.
- On the Features to install screen, click Next.
- The tool will now install. Click Finish to close the installer window.
The tool is installed in the “c:\program files (x86)\localgpo” directory. To work with the tool, run the “command-line here” batch file in the localgpo directory. This will open a command prompt window in the right directory and display information about the available switches that can be used with the tool, along with some useful examples.
To export the current local policy settings as a GPO backup, run the following command:
cscript localgpo.wsf /path:c:\gpobackups /export
The folder specified in the /path switch must exist. Once the command has completed, the name of the folder containing the backup will be displayed in the command prompt window. You can add the /GPOPack switch to the above command to generate a script that can be run on servers independently of the localgpo tool. Just copy the resulting folder to the desired server and run the gpopack.wsf script.
cscript localgpo.wsf /path:c:\gpobackups /export /gpopack
To apply a GPO backup to the local computer run the command below, replacing c:\gpobackups\{36034CB9-E459-4652-8720-DE7F3AD51044} with the path of the GPO backup you want to apply.
cscript localgpo.wsf /path:c:\gpobackups\{36034CB9-E459-4652-8720-DE7F3AD51044}
You can compare the current local policy with a GPO backup using the /compare switch:
cscript localgpo.wsf /path: c:\gpobackups\{36034cb9-e459-4652-8720-de7f3ad51044} /compare
To restore the local computer policy to the default settings, run:
cscript localgpo.wsf /restore
Additional switches
LocalGPO has a few additional switches that you might find useful. The /ConfigSCE switch displays settings in local computer policy that were developed by Microsoft Solutions for Security (MSS) but are not visible by default. Conversely, the /ResetSCE switch hides the MSS settings from local computer policy.
The /MLGPO switch can be used to apply a GPO backup to specific local users. This switch can also be used with gpopack.wsf scripts generated using the /GPOPack switch. For instance, the following command would apply the user section of the specified GPO backup to local user DavidSmith.
cscript localgpo.wsf /path:c:\gpobackups\{36034CB9-E459-4652-8720-DE7F3AD51044} /MLGPO:DavidSmith
Administrators and Non-Administrators are also both valid users that can be specified with the /MLGPO switch, applying the user section of the specified GPO backup to all local administrators, or all local users that are not administrators respectively.