Partager via


Set_FDCC_LGPO: Utility to apply FDCC settings to local group policy

[2009-04-15: Attachment removed. Bookmark this page for the latest versions of these utilities.]  

As promised in our webcast last week, we are publishing a utility that applies NIST's current set of GPOs to the Local Group Policy of the computer on which you run it.  It -- and the accompanying ReadMe.htm -- are included as an attachment to this post.

As a bonus, we are also publishing the source code (separate post).

Set_FDCC_LGPO is provided "AS-IS" without warranty, and is not officially supported by Microsoft customer support.

Set_FDCC_LGPO is a non-interactive tool that applies the Q3 2007 FDCC desktop policy settings from NIST to local group policy and optionally to the security settings of the computer as well.

 

The utility requires administrative rights, and runs only on Windows XP Service Pack 2 or higher, or Windows Vista (RTM or higher). If the utility is run without admin rights or on an unsupported platform, an error message is displayed in a message box dialog.

 

Command line syntax:

 

Set_FDCC_LGPO.exe [/Sec] [/log LogFile] [/error ErrorLogFile] [/boot]

 

/Sec                    Sets security policy settings in addition to registry-based (registry.pol) settings.

 

/log LogFile Writes detailed results to a log file. If this option is not specified, output is not logged nor displayed.

 

/error ErrorLogFile Writes error information to a log file. If this option is not specified, error information is displayed in a message box dialog.

 

/boot                  Reboots the computer when done.

 

Note that all the parameters are optional. If run without parameters, it will apply the registry.pol settings but not the security policy settings (which can override domain policy settings), not write a log file, but display an error message if an error occurred.

 

This utility is not a console app, so you won’t see a console window appear, and if you start it from a CMD prompt, it will run in the background – CMD won’t wait for it to complete. You can check in TaskMgr to see when it completes. If you want CMD to wait for Set_FDCC_LGPO to complete, run the utility with "start /wait".

 

The various registry.pol and gpttmpl.inf files from the expanded FDCC GPO folders are embedded in the executable. The appropriate policies are applied based on whether run on XP or Vista. For the registry.pol files, the files are parsed and Group Policy APIs are used to apply them to local policy. If you specify /sec to apply the gpttmpl.inf security templates, it runs secedit.exe for each of the appropriate settings files. You may see secedit.exe in the process list, but no visible window for it.

 

The main scenarios where you’d want to use the /Sec parameter are when the computer is not subject to domain policies – e.g., during image build, or for standalone/workgroup systems.

Comments

  • Anonymous
    January 01, 2003
    Aaron, I do not have AV on the system.  I'll have to double check about the status of Windows Firewall though. I did have an interesting work around.  Running Set_FDCC_LGPO records error 0x80070020 into my log as previously stated.  If I run the utility a second time it seems to take and my error log is then clean.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The utility for applying FDCC configuration settings en masse to a computer has been updated: The 0x80070020

  • Anonymous
    January 01, 2003
    Also, these two service settings are in the tool but not defined by FDCC: aspnet_state and Dnscache [Aaron Margosis]  Whatever is in the tool comes from the NIST GPO downloads.

  • Anonymous
    January 01, 2003
    Set_FDCC_LGPO utility updated to conform to NIST's 2008 Q3 update (FDCC Major Version 1.0). Set_FDCC_LGPO is a utility to apply FDCC settings to Local Group Policy.

  • Anonymous
    January 01, 2003
    Set_FDCC_LGPO - source code and Visual Studio project files.

  • Anonymous
    January 01, 2003
    Set_FDCC_LGPO utility updated to conform to NIST's 2008 Q1 update. Set_FDCC_LGPO is a utility to apply FDCC settings to Local Group Policy.

  • Anonymous
    January 01, 2003
    These three service settings are missing from the tool: W3SVC, Fax, and MSFtpsvc

  • Anonymous
    September 28, 2010
    Where to download the actual file ? I tried to go to : csrc.nist.gov/.../FDCC_Q1_2008_Revised_GPOs.zip and got a HTTP-404 error [Aaron Margosis]  Which actual file?  The GPOs?  This is the content page: http://nvd.nist.gov/fdcc/download_fdcc.cfm Scroll down to find the links to the downloads.

  • Anonymous
    September 28, 2010
    Where is Set_FDCC_LGPO.exe file ? [Aaron Margosis]  Try here: http://blogs.technet.com/b/fdcc/archive/2008/05/07/LGPO-Utilities.aspx Explanation for what happened: http://blogs.technet.com/b/fdcc/archive/2010/10/02/fdcc-is-now-usgcb.aspx