Microsoft Security Compliance Manager (SCM v2) - Part 4

In this final part of this four part series we’ll look at Local GPO which is a bit of a hidden gem in SCM and round off the look at SCM with a summary.
Profile gravatar of Paul Schnackenburg

Paul Schnackenburg

Paul Schnackenburg works part time as an IT teacher as well as running his own business in Australia. He has MCSE, MCT, MCTS and MCITP certifications. Follow his blog TellITasITis.
Profile gravatar of Paul Schnackenburg

LocalGPO in SCM v2 ^

LocalGPO is included with SCM but there’s no dependency between the two programs. Once you’ve installed SCM there’s an option on the Start Menu to also install LocalGPO. The traditional role of LocalGPO is to control workgroup computers where centralized AD deployment of GPOs isn’t an option but in SCM v2 there’s also a new GPOPack feature that works with Microsoft Deployment Toolkit (MDT) 2010.

LocalGPO lets you export the current configuration of a reference computer as a GPO object provided you’re a local administrator and the export folder already exists:

LocalGPO also allows you to apply settings from a GPO backup file type to the local PC:

The GUID in italics is the identification of the GPO you want to apply.

The only drawback with LocalGPO in SCM v1 was the fact that you had to install LocalGPO on each machine where you’d like to use it and whilst it’s a quick installation this wasn’t very flexible.

Thus was born the new GPOPack option for LocalGPO which packs the executable and the baseline into a single self-extracting file which can be applied without any prior installation. Whilst you can use this in many situations it works very well as part of a task sequence in Microsoft Deployment Toolkit (MDT) 2010 to apply your security settings to a machine directly after installation with just a single line of code in a script.

If you don’t want to type out (and potentially misspell) long GUID folder names you can name the GPO Pack with a friendly name, be aware that this means you won’t be able to import the GPO object in the GPMC. When applying a GPOPack in a script point to the GPOPack.wsf file that’s created by the GPOPack option like this:

You can also use LocalGPO to monitor workgroup computers in your environment for configuration drift, simply export their current settings and then compare them in SCM v2 against your company sanctioned baseline.

SCM v2 -LocalGPO GPOPack

LocalGPO is a very versatile tool and the new GPOPack option opens up additional possibilities.

SCM v2 beta in summary ^

Everyone knows that both servers and client computers need to be locked down in a business environment, each successive version of Windows have added more versatile GPO options to achieve just that. But with the proliferation of GPO settings comes the difficulty in selecting the right settings and the appropriate level of lock down. Too locked down and users are hindered in their work and productivity suffers, too open leads to an insecure environment.

SCM v2 is an awesome tool that helps any administrator with these challenges which should bode well for its popularity. The new GPO Import functionality is great and the GPOPack in LocalGPO is really cool but most importantly the interface is much easier to work with.

SCMv2 is an excellent product that belongs in every sysadmins toolbox, especially considering it’s free.

Resources ^

Microsoft Solution Accelerators Security & Compliance blog

Take part in our competition and win $100!

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017
Do NOT follow this link or you will be banned from the site!

Log in with your credentials

or    

Forgot your details?

Create Account