Secedit to Export Edit and Then Again Import Policy Settings

Microsoft'south Local Group Policy Object (LGPO) Utility is a standalone command-line executable that assists administrators in automating the management of a computer's local security policy. The tool uses a combination of Group Policy Template (GptTmpl.inf) files, Registry Policy (registry.politician) files, and Audit Policy (audit.csv) files to apply desired configuration settings to endpoints. The free LGPO Utility is office of Microsoft'southward Security Compliance Toolkit and tin be downloaded hither.

To complete the download, you tin can follow these simple steps:

1. Navigate toMicrosoft Security Compliance Toolkit 1.0
2. Select Download
3. Check the box next to LGPO.nothing
4. Select Next

By default, the download should be stored within your user profile's Downloads directory.

At the time of this writing, LGPO is Versioned at 3.0.2004.13001 (v3.0). According to Microsoft, here is what comes packed with the new version:

Two new options were added in LGPO.exe. The first, /ef which enables Grouping Policy extensions referenced in the backup.xml. The 2nd, /p which allows for importing settings directly from a .PolicyRules file, which negates the need to have the bodily GPOs on paw. Additionally, LGPO.exe /b and /thousand now capture locally-configured client-side extensions (CSEs) (which we had an issue with previously). Lastly, /b also correctly captures all user rights assignments, overcoming a bug in the underlying "secedit.exe /export" that fails to capture user rights assignments that are granted to no 1.

LGPO.exe functions as a standalone executable program that can exist run directly from the command-line. It does not install additional software on your system to perform its tasks. To run the programme, open a command prompt and navigate to the executable file. I have stored mine in C:\LGPO.

LGPO has 4 (four) core modes, each of which has been listed below:

1. Import and employ policy settings
2. Export local policy to a GPO backup

3. Parse a registry.pol file to "LGPO text" format

4. Build a registry.pol file from "LGPO text"

Using 1 or more than of the modes listed in a higher place, this post volition describe specifics regarding how to:

1. Backup current policies (LGPO.exe /b)
2. Import a new Local Policy (LGPO.exe /chiliad)
3. Import a new Group Policy Template (GptTmpl.inf) (LGPO.exe /south)
4. Import a new Registry Policy (registry.pol) (LGPO.exe /grand, /u, /ua, /un, /u:username)
5. Import a new Inspect Policy (audit.csv) (LGPO.exe /a[c])

Additional information on how to use the LGPO Utility can exist establish within the LGPO.pdf file that comes embedded within the .zippo download.

HOW-TO GUIDE

Backup LOCAL POLICY

Earlier applying a new policy, information technology is always all-time practice to create a backup of the system'due south electric current configuration. To do this, use the /b LGPO switch:

LGPO Task: Create a GPO fill-in in Path, where Path is the location the backup volition be stored

LGPO Switch: /b

LGPO Steps:

1. Open a command prompt as an administrator
2. Navigate to the directory that contains the LGPO executable file (LGPO.exe)
3. Run LGPO.exe /b Path , where Path is the location the fill-in volition be stored

The following Command will support the system's local policy and store it in C:\LGPO\Backup

Command: C:\> C:\LGPO\LGPO.exe /b C:\LGPO\Backup

IMPORT COMPLIANT POLICIES (Total IMPORT)

At that place are several ways to obtain preconfigured policies, to include preconfigured DCSA and DISA releases. DCSA provides the NISP Classified Configuration (NISP CC) tool, which contains all the required policy files to facilitate the hardening exemplified within this post. DISA provides Grouping Policy Objects, which are located on the public-facing DoD Cyber Exchange. For more data on each, see the DCSA NISP CC Instructions and the DISA GPOs.

The /k option offers the ability to import settings from one or more policy exports/backups, which incorporate Registry Policy (east.k., registry.pol) files, Security Templates (east.chiliad., GptTmpl.inf), Avant-garde Auditing templates (e.k., inspect.csv), and backup.xml files (Used for GP customer-side extensions (CSEs)). "Machine" and "User" registry.political leader settings must exist within their respective "Machine" or "User" subdirectory for the associated settings to be applied to the correct registry hive.

LGPO Task: Import settings from 1 or more GPO exports/backups under Path, where Path is the location of the GPO GUID

LGPO Switch: /k

LGPO Steps:

1. Open up a command prompt equally an ambassador
2. Navigate to the directory that contains the LGPO executable file (LGPO.exe)
3. Run LGPO.exe /g Path , where Path is the location the GPO GUID

The post-obit Control will utilize policy settings (GptTmpl.inf, registry.politician, and audit.csv) that exist inside the {F02F0236-6A68-40F2-8F91-1861194EB794} directory. {F02F0236-6A68-40F2-8F91-1861194EB794} is an instance of a GUID.

Command: C:\LGPO\LGPO.exe /thousand 'C:\LGPO\Fill-in\{F02F0236-6A68-40F2-8F91-1861194EB794}\'

This simple command drastically increased the secure configuration of my Virtual Machine (VM), according to the DISA-released Windows 10 Benchmark.

SCAP Compliance Checker (SCC) Earlier Policy Import: 46.51% Compliant

SCAP Compliance Checker (SCC) After Policy Import: 96.28% Compliant

IMPORT COMPLIANT POLICIES (PARTIAL IMPORT)

Nether certain circumstances, it may non exist necessary to import an entire policy. Some boosted utilize implementations take been exemplified beneath.

IMPORT TEMPLATE SETTINGS ONLY:

LGPO Job: Apply a specified security template

LGPO Switch: /southward

LGPO Steps:

1. Open a command prompt as an administrator
2. Navigate to the directory that contains the LGPO executable file (LGPO.exe)
3. Run LGPO.exe /southward Path , where Path is the location of the template file.

The following Control will apply the settings defined within the C:\LGPO\Fill-in\GptTmpl.inf template file

Command: C:\> C:\LGPO\LGPO.exe /s C:\LGPO\Fill-in\GptTmpl.inf

IMPORT REGISTRY POLICY SETTINGS ONLY:

LGPO Task: Import settings from registry.pol into a specified config (Machine | User | Administrators | Non-Administrators | Specific User)

LGPO Switch:

/k: import settings from registry.politician into car config

/u: import settings from registry.pol into user config

/ua: import settings from registry.political leader into user config for Administrators

/un: import settings from registry.politico into user config for Not-Administrators

/u:username: Import settings from registry.pol into user config for local user specified by "username"

LGPO Steps:

1. Open a command prompt as an administrator
2. Navigate to the directory that contains the LGPO executable file (LGPO.exe)
3. Run LGPO.exe /Switch Path , where Path is the location of the registry file and /Simwitch is the desired switch

The following Command will apply the auto registry settings defined within C:\LGPO\Backup\Machine\Registry.pol and the user registry settings defined within C:\LGPO\Backup\User\Registry.pol

Command: C:\> C:\LGPO\LGPO.exe /m C:\LGPO\Backup\Machine\registry.pol /u C:\LGPO\Fill-in\User\registry.pol

IMPORT Inspect POLICY SETTINGS ONLY

LGPO Task: Articulate the system'southward Inspect Policy and utilise a new Audit Policy configuration
LGPO Switch:
/a: Apply avant-garde auditing settings
/ac: Clear advanced auditing settings and utilise new advanced auditing settings
LGPO Steps:
1. Open a command prompt equally an administrator
2. Navigate to the directory that contains the LGPO executable file (LGPO.exe)
3. Run LGPO.exe /ac Path , where Path is the location of the audit.csv file
The following Control will clear the system's electric current audit policy to apply the Audit Policy settings defined inside the C:\LGPO\Fill-in\audit.csv file
Command: C:\LGPO> C:\LGPO\LGPO.exe /ac C:\LGPO\Backup\inspect.csv

summerslichannoosee.blogspot.com

Source: https://blog.securestrux.com/applying-configuration-with-microsofts-lgpo-utility

Share this post