In part 1, we set the stage for the work we are about to do. We briefly went over the items that led up to our decisions. In the next parts, we’ll walk you through what we did. If you would like, you can go back and read Using ConfigMgr Compliance to Manage Security Configuration Baselines (Part 1) to get caught up.
Active Directory Group Policy
We need to get the settings that were already configured within the domain so that we can create the needed INF file templates for the non-registry policy settings.
To do this, let’s fire up an elevated PowerShell session and do the following:
If you know the name of the GPO you are looking for, you can simply export it to the desired location of your choice. Like this…
1 |
Backup-GPO -Domain contoso.com -Name "Default Workstation Policy" -Path "C:\Temp\GPOExports\MyPolicy" |
If you don’t know the name of the policy you are looking for, you can get the names using the following…
1 |
(Get-GPO -Domain contoso.com -All).DisplayName |
Or, if we only know part of the GPO name, we can search for all of those that have the portion of the name we remember in it. Example – to get all GPOs that contain the word ‘Default’ in the name…
1 |
(Get-GPO -Domain contoso.com -All | ?{$_.DisplayName -like "*Default*"}).DisplayName |
But what if we want to have a choice of exporting ALL Group Policies, or just those with a specific word or term in their name? Well, we would script that. The script might look something like this (The script below is the same script we used for our customer. I’m just placing it here for others to use if they wish.) By the way, you can also copy the code below and save it as ‘Export-GroupPolicyObjects.ps1’. It can be used to backup GPOs in the future as well.
(The code below can be expanded and copied using the snippet toolbar at the top)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
#Requires -RunAsAdministrator #Requires -Module GroupPolicy <# .SYNOPSIS A script to export specified or even all GPOs from a domain. 'Verbose' option can be specified. .DESCRIPTION A script to export/backup specified or even all GPOs from a domain. A script to export specified or even all GPOs from a domain. Exported GPOs are placed into "$($env:SystemDrive)\Temp\GPOExports" EXAMPLE - 'C:\Temp\GPOExports' .PARAMETER Domain (Required parameter) Name of the domain to get group policy objects from. .PARAMETER AllGPO (Default parameter) Exports ALL group policy objects in the specified domain .PARAMETER SearchGPO (Optional parameter) Exports ONLY the group policy objects specified .PARAMETER SearchGPOName (Required parameter when 'SearchGPO' is selected) Used to specify all or part of the group policy object name to be exported. .EXAMPLE Export-GroupPolicyObjects.ps1 -Domain contoso.com Exports All group policy objects from the 'contoso.com' domain .EXAMPLE Export-GroupPolicyObjects.ps1 -Domain contoso.com -AllGPO Exports All group policy objects (same as the default script behavior above) from the 'contoso.com' domain .EXAMPLE Export-GroupPolicyObjects.ps1 -Domain contoso.com -SearchGPO -SearchGPOName "CAD Workstations" Exports the group policy objects with 'CAD Workstations' in the name from the 'contoso.com' domain .NOTES =========================================================================== Created on: 12/4/2020 3:20 PM Created by: Phil Pritchett Filename: Export-GroupPolicyObjects.ps1 =========================================================================== #> |
If we run the above script with the following command-line
1 |
.\Export-GroupPolicyObjects.ps1 -Domain contoso.com -SearchGPO -SearchGPOName Workstation -Verbose |
We see this output…
OK, so now we have our GPO exported to “C:\Temp\GPOExports\Default Workstation Policy”. Let’s go take a look at the INF file. The file we need from the GPO is ‘GptTmpl.inf’. It should be located in “C:\Temp\GPOExports\<GPOName>\<GPOGuid>\DomainSysvol\GPO\Machine\Microsoft\Windows NT\SecEdit”.
First, let’s tackle the User Rights Assignments since they won’t be converted to ConfigMgr Configuration Items with the script.
Open the ‘GptTmpl.inf’ file with notepad to edit it. We need to remove all of the lines we don’t need.
You’ll notice that the INF is broken up into sections with each section header specified between the square brackets “[ ]”. There are three (3) sections we are interested in. They are:
- Unicode
- Version
- Privilege Rights
All of the other sections can be removed. Once this is done, you should have a file that looks similar to below.
Depending upon your organization’s security requirements, there may be more or less entries. Save the file as ‘UserRights.inf’ in the folder “C:\Temp\INF Files” so that we can create our individual custom INF files for use in our compliance remediation scripts.
Another way to create the custom INF files for our use is to leverage a script that will go through and generate them for us. The script code below will do just that. Just copy and save the code as “Generate-AllCustomINFFiles.ps1”
(The code below can be expanded and copied using the snippet toolbar at the top)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
<# .SYNOPSIS A script to process INF files from exported group policy objects and output custom INF files for use with secedit.exe imports. .DESCRIPTION A script to process INF files from exported group policy objects and output custom INF files for use with secedit.exe imports. Folders and files will be created in the same folder as the running script. .PARAMETER GPOExportDir (Required parameter) Parent folder/directory where exported group policy object reside .EXAMPLE Generate-AllCustomINFFiles.ps1 -GPOExportDir C:\Temp\GPOExports Processes all of the INF files in 'C:\Temp\GPOExports' .NOTES =========================================================================== Created on: 2/2/2021 4:15 PM Created by: Phil Pritchett Filename: Generate-AllCustomINFFiles.ps1 =========================================================================== #> |
When you run the above script, the screen output should look something like this…
Now that we have this much ready to go, we can move on to generating our discovery scripts for the ConfigMgr Configuration Items.
Below are links to the other posts in this series.