In this final part of this four part series we’ll look at Local GPO which is a bit of a hidden gem in SCM and round off the look at SCM with a summary.

LocalGPO in SCM v2

LocalGPO is included with SCM but there’s no dependency between the two programs. Once you’ve installed SCM there’s an option on the Start Menu to also install LocalGPO. The traditional role of LocalGPO is to control workgroup computers where centralized AD deployment of GPOs isn’t an option but in SCM v2 there’s also a new GPOPack feature that works with Microsoft Deployment Toolkit (MDT) 2010.

LocalGPO lets you export the current configuration of a reference computer as a GPO object provided you’re a local administrator and the export folder already exists:

LocalGPO.wsf /Path:c:\GPOBackup /Export

LocalGPO also allows you to apply settings from a GPO backup file type to the local PC:

LocalGPO.wsf /Path:c:\GPOBackup\{12345678-9ABC-DEFG-1234-56789ABCDEFG}

The GUID in italics is the identification of the GPO you want to apply.

The only drawback with LocalGPO in SCM v1 was the fact that you had to install LocalGPO on each machine where you’d like to use it and whilst it’s a quick installation this wasn’t very flexible.

Thus was born the new GPOPack option for LocalGPO which packs the executable and the baseline into a single self-extracting file which can be applied without any prior installation. Whilst you can use this in many situations it works very well as part of a task sequence in Microsoft Deployment Toolkit (MDT) 2010 to apply your security settings to a machine directly after installation with just a single line of code in a script.

If you don’t want to type out (and potentially misspell) long GUID folder names you can name the GPO Pack with a friendly name, be aware that this means you won’t be able to import the GPO object in the GPMC. When applying a GPOPack in a script point to the GPOPack.wsf file that’s created by the GPOPack option like this:

C:\GPObackup\{12345678-9ABC-DEFG-1234-56789ABCDEFG }\GPOPack.wsf 
  /path:C:\GPOBackups\{12345678-9ABC-DEFG-1234-56789ABCDEFG } /silent

You can also use LocalGPO to monitor workgroup computers in your environment for configuration drift, simply export their current settings and then compare them in SCM v2 against your company sanctioned baseline.

SCM v2 -LocalGPO GPOPack

LocalGPO is a very versatile tool and the new GPOPack option opens up additional possibilities.

SCM v2 beta in summary

Everyone knows that both servers and client computers need to be locked down in a business environment, each successive version of Windows have added more versatile GPO options to achieve just that. But with the proliferation of GPO settings comes the difficulty in selecting the right settings and the appropriate level of lock down. Too locked down and users are hindered in their work and productivity suffers, too open leads to an insecure environment.

SCM v2 is an awesome tool that helps any administrator with these challenges which should bode well for its popularity. The new GPO Import functionality is great and the GPOPack in LocalGPO is really cool but most importantly the interface is much easier to work with.

SCMv2 is an excellent product that belongs in every sysadmins toolbox, especially considering it’s free.


Microsoft Solution Accelerators Security & Compliance blog


Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account