Condividi tramite


New and Updated Local Group Policy Utilities

A customer requested an addition to the local group policy toolset posted on the FDCC blog.  While working on the new utility, I needed to upgrade the other two.  The full set is attached to this post, with documentation.  The source code for all of them is attached to a separate post.

The new utility, ImportRegPol, takes a registry policy file (registry.pol) as input.   It can import its contents into the local group policy of the local computer (Computer or User configuration), or simply read it and output Notepad-editable text that can be consumed by Apply_LGPO_Delta.

While working on it, I discovered and corrected subtle shortcomings in Set_FDCC_LGPO and Apply_LGPO_Delta.  The main shortcoming had to do with when a value or set of registry policy values were to be deleted:  if the settings were present when Set_FDCC_LGPO or Apply_LGPO_Delta was run, they would be deleted, but those deletion “commands” were not saved in the policy store.  So, if the settings were to be reintroduced, gpupdate from local policy would not remove them.  The new implementations insert the deletion “commands” into the policy store so that they can be applied whenever policy refreshes.  This required extending the input file syntax for Apply_LGPO_Delta and the log file output for Set_FDCC_LGPO, both of which have been bumped to v2.0.

While I was at it, I upgraded those utilities to Visual Studio 2008 and enabled ASLR and DEP.  In addition, the new version of Apply_LGPO_Delta does not perform an OS check, so it is no longer restricted only to Windows XP and Vista, and will run on any supported version of Windows.  Set_FDCC_LGPO still runs only on XP (SP2 or higher) or Vista (RTM or higher), because NIST hasn’t defined FDCC settings for any other versions of Windows.

Here is more information on the new ImportRegPol utility:

ImportRegPol

ImportRegPol is a non-interactive tool that imports the settings from a Registry Policy (registry.pol) file into the Computer or User configuration of the local group policy of the current computer.  It can also parse a registry.pol file and produce an editable text file that can be consumed by Apply_LGPO_Delta v2.0.

Introduction

Administrators frequently apply policies by copying registry.pol files into the Group Policy folders.  This technique is not supported by Microsoft, and has the unfortunate side effect of destroying any previously existing policies.  ImportRegPol reads the reference policy file and uses supported application programming interfaces (APIs) to add settings to local policy.

The format of registry policy files is a documented, binary file format, normally produced by Group Policy editors such as GpEdit.msc.  However, there aren’t any good viewers or editors for directly manipulating those files.  For this reason, the Apply_LGPO_Delta utility uses a custom, Notepad-editable text file format to define specific changes to apply to local group policy.  The log file format produced by ImportRegPol is compatible with Apply_LGPO_Delta v2.0.  ImportRegPol can be run in a “parse-only” mode to read a registry.pol file and produce an equivalent input for Apply_LGPO_Delta.

The utility requires administrative rights to import policies, but does not require administrator rights for parse-only mode.  Note that the in-use registry.pol files in the GroupPolicy folders can be used for input only in parse-only mode.

Command line syntax and usage:

The ImportRegPol command line syntax is described below.  All parameters are case-insensitive.  The command line must include -m or -u followed by the absolute or relative path to a registry policy file.  All other parameters are optional.

ImportRegPol.exe –m|-u pathregistry.pol [/parseOnly] [/log LogFile] [/error ErrorLogFile] [/boot]

-m pathregistry.pol   [for Computer configuration] or

-u pathregistry.pol   [for User configuration]

                        Pathregistry.pol specifies the absolute or relative path to the input registry policy file (which does not need to be named “registry.pol”).

/parseOnly             Reads and validates the input file but does not make changes to local group policy.  In conjunction with the /log option, can be used to convert a registry policy file to an input file for Apply_LGPO_Delta.

/log LogFile           Writes detailed results to a log file.  If this option is not specified, output is not logged nor displayed.  The logged results for the registry policy settings can be used as input for Apply_LGPO_Delta.

/error ErrorLogFile   Writes error information to a log file.  If this option is not specified, error information is displayed in a message box dialog.

/boot                  Reboots the computer when done.

This utility is not a console app, so you won’t see a console window appear, and if you start it from a CMD prompt, it will run in the background – CMD won’t wait for it to complete.  You can check in TaskMgr to see when it completes.  If you want CMD to wait for ImportRegPol to complete, run the utility with "start /wait".

[Update Jan 15 2010: new versions released -- see the LGPO Utilities page ]