Scenario: Customer needed to lock down a specific user account in Windows 10, without effecting the local Administrator account. Unit was not going to be joining a Domain. LGPO was the only available free alternative.
The new LGPO tool (https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) does NOT support MLGPOs (Multiple Local Group Policy Objects).
The old LocalGPO.wsf script (https://gallery.technet.microsoft.com/LocalGPOmsi-Excellent-MS-2593b2eb) does, but it doesn’t “technically” support Windows 10. So you must first edit this script to force it to support Windows 10. Here are my edits (but you don’t have to edit it yourself, the download link is listed below):
So next I used LocalGPO.wsf script to export my desired LGPO, which included settings I specified for the “Non-Administrators” group.
Here are the steps I took to set up the MLGPO:
Command: cscript LocalGPO.wsf /Path:C:\MLGPO /Export
Download my MLGPO app package and adjust it to deploy your captured MLGPO folder (should have been exported to C:\MLGPO\{GUID}): https://drive.google.com/open?id=0BwHI1r8k8A75MU1lbjBfX2NxeEE
* package was wrapped using http://psappdeploytoolkit.com/ and tested on SCCM 2012 and MDT 2013 Update 2.
/BG
Hi, When you say adjust it to deploy your captured MLGPO folder, Do you have a step-by-step rpocedure? Thanks.
One last thing, how do I use this in MDT 2013 U2 TS? Many thanks in advance.
I think this method does not work. In fact, the script backs up the local policy but not the other local user policies. The only working technique I found is to copy and replace file registry.pol (in user node) from a backup with the MLGPO Non-Administrators, ie “GroupPolicyUsers \ S-1-5-32-545 \ User \ registry.pol”
LocalGPO.wsf does not support /mlgpo switch with /export, only with /import
Thanks a lot for this sharing
Thanks for the update, I haven’t since had success with this method as well. I’ll give your suggestion a try.
-BG
This is…. GREAT!
Now I´m trying to export my Non-Admin GPOs…
Tried to import my export, didn´t got the Non-Admin GPOs set.
It helps a lot to know, that the LocalGPO.wsf doesn´t support the MLGPO export.
Try to get this working throught MDT 2013… 🙂
Thanks for this post!
-MC
Just tried to replace the ZTIApplyGPOPack.wsf with the LocalGPO.wsf, which is able to import MLGPO via shell.
It applied all user settings, but it did that without flagging them only for Non-Administrators…
Still troubleshooting…
-MC
I found a way to solve this Problem:
1. Just create your MLGPOs
2. Copy folder “C:\Windows\System32\GroupPolicyUsers\S-1-5-32-545”
> In this Folder (Well known SID) are all Administrations MLGPO Settings stored.
3. Paste folder to target machine
You are also able to edit your MLGPOs via MMC on the target machine.
This solves my problem.
Cheers!