Playing with Local Group Policy Objects

I’m working on locking down a Windows 7 Embedded thin client lately and have a need to restrict some Internet Explorer settings. I have to do this on a handful of thin clients.
The first thing I do is create a Local Group Policy for NON ADMINISTRATORS.
This is important because I do not want my administrator account to be all screwed up and locked down when I need to connect for administrative work.
I also export the settings so that I can apply them to other computers as needed.  Initially, I will be imaging the units so they’ll all get the same policy, but management in the future will simply be by applying the Local GPOs instead of wasting time deploying a new image.

Create Local Group Policy – Non Administrators

  1. Start > mmc.exe
  2. File > Add/Remove Snapin
  3. Choose Group Policy Object Editor, click Add >
  4. Click Browse > Users tab
  5. Select Non-Administrators (or a specific user you plan to only apply a GPO to)
  6. Click OK > Finish > OK
  7. File > Save As… > Local GPO – Non Admin.msc (or whatever you like)

Configure Policies

In the left pane, I drill through Local ComputerNon-Administrators > User Configuration > Administrative Templates >  Windows Components > Internet Explorer
I configured a lot of the Internet Explorer policies for this Group Policy.
After I’m done I want to save these changes for reference in the future.  To do this I use gpresult to produce an HTML report.

Save Group Policy Settings Report

From a command line, I run the following command.  Note that I use User as my user since that is the only non-administrator account on this system.  You will need to substitute with your own criteria.

gpresult /USER User /h grouppolicysettings.html

Now I have an excellent report that has detailed information what policies are applied to the User account and even descriptions of the policies.
2014-05-20_131615
 
Tip – Convert Group Policy Result Report to Excel Spreadsheet
If you export the report to XML using /x filename.xml, you can use a nice VBScript to convert the XML to an Excel Spreadsheet as well.  Get the VBScript if you’re interested. Script is from this MS TechNet Article.

Exporting and Importing Local Group Policies

So there are a few tools out there that can Export and Import Group Policies.  Windows doesn’t do this natively but there is an Accellerator Solution available called Microsoft Security Compliance Manager (SCM) that has LocalGPO application in it.  LocalGPO tool allows you to backup and restore Local Group Policy Objects.  Cool, eh?
Get Microsoft Security Compliance Manager, which includes LocalGPO, from:  http://technet.microsoft.com/en-us/library/cc677002.aspx
 

Export Local GPO for User

  1. Configure a single User setting in the Local Policy of the computer
  2. Use LocalGPO to export a GPO Backup or GPOPack
    1. LocalGPO /Path:C:GPO backups /Export
  3. Copy the registry.pol file from c:WindowsSystem32GroupPolicyUsers<SID>User (you should only see one if User is the only local user with an MLGPO)
  4. Paste the registry.pol file over the ..User
    egistry.pol inside the GPO Backup or GPOPack created in Step #2

You will then have a GPO Backup or GPOPack with *all* the settings originally configured for User in MLGPO.

Restore Local GPO

You can then apply this GPO Backup or GPOPack using the MLGPO option to configure other users the same as User.

LocalGPO /MLGPO:User /Path:C:GPO Backups

Leave a Reply

Your email address will not be published. Required fields are marked *