With SCM’s (Microsoft Security Compliance Manager) LGPO.msi utility, it is very simple to capture and deploy policies created for the machine, Administrators group, and the Non-Administrators group. However, to deploy a LGPO profile assigned to a single user, no utility or automated method exist. This is solved with a simple powershell script. See the following tutorial.
1. In a VM (Virtual Machine), create the user and assign the desired LGPO settings with the gpedit.msc MMC.
2. Copy the content from the appropiate folder within the “C:\Windows\System32\GroupPolicyUsers\” directory. The folder will be named against the SID of the user.
3. Place the files in the “GP” folder within the following package and call a powershell script to create the SID folder name and copy the custom profile.
#start-process powershell –verb runAs
$objUser = New-Object System.Security.Principal.NTAccount("USERNAME")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
Copy-Item -Path .\GP -destination c:\Windows\System32\GroupPolicyUsers\$strSID -recurse