In many Organizations, the AD support team is separated from the team in charge of Imaging. The AD team naturally is protective with their setup and fight any GPO setting that would result in more responsibility to their staff. So that leaves us in some occasions having to turn to Local Group Policy to apply the settings we want. I’ve recently come across some great tools provided by Microsoft (very quietly) for Government usage. These tools allow you to basically back up your LGPO settings to a txt file and apply them on demand with a script silently.
MS link: http://blogs.technet.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-03-05-16-48/LGPO_2D00_Utilities.zip
BackUp link: https://panaconsulting.egnyte.com/h-s/20120118/077e07ba18c74413
How to use:
- Apply desired settings on a Windows 7 test machine, using the gpedit.msc MMC snap-in.
- Run the “ImportRegPol.exe” with the /parseonly and /log to pull settings and save to a specified LOG file.
User settings and machine settings need to be captured separately:
Capture User Example
ImportRegPol.exe /u C:\Windows\System32\GroupPolicy\User\registry.pol /parseonly /log <PathToSettingsFile>.log
Capture Machine Settings Example:
ImportRegPol.exe /m C:\Windows\System32\GroupPolicy\Machine\registry.pol /parseonly /log <PathToSettingsFile>.log - Use the Apply_LGPO_Delta.exe utility to apply the settings silently. On restart the settings will take effect.
Apply_LGPO_Delta.exe <PathToSettingsFile>.log /log <PathToLogFile>.log - This can easily be added to an SCCM or MDT Task Sequence and tied to logic to ensure the correct settings get pushed to the appropriate target systems/users.
Command Line help for LGPO Tools:
Apply_LGPO_Delta.exe inputfile0 [inputfile1 ...] [/log LogFile] [/error ErrorLogFile] [/boot]
inputfileN One or more input files specifying the changes to make. Input files must be security template files, or registry-based policy files using a custom file format described below. Apply_LGPO_Delta automatically determines whether a file is a custom policy file or a security template. Security templates can be created using the “Security Templates” MMC snap-in.
/log LogFile Writes detailed results to a log file. If this option is not specified, output is not logged nor displayed.
/error ErrorLogFile Writes error information to a log file. If this option is not specified, error information is displayed in a message box dialog.
/boot Reboots the computer when done.
ImportRegPol.exe –m|-u path\registry.pol [/parseOnly] [/log LogFile] [/error ErrorLogFile] [/boot]
-m path\registry.pol [for Computer configuration] or
-u path\registry.pol [for User configuration]
Path\registry.pol specifies the absolute or relative path to the input registry policy file (which does not need to be named “registry.pol”).
/parseOnly Reads and validates the input file but does not make changes to local group policy. In conjunction with the /log option, can be used to convert a registry policy file to an input file for Apply_LGPO_Delta.
/log LogFile Writes detailed results to a log file. If this option is not specified, output is not logged nor displayed. The logged results for the registry policy settings can be used as input for Apply_LGPO_Delta.
/error ErrorLogFile Writes error information to a log file. If this option is not specified, error information is displayed in a message box dialog.
/boot Reboots the computer when done.
-Brian G
