Microsoft Security Compliance Manager

Introducing the Local Policy Tool

When you install the SCM tool, another utility called the Local Policy Tool (LPT) becomes available. This tool is designed to assist you with two optional tasks:

• Applying a security baseline to the local Group Policy of a computer.
• Exporting the local Group Policy of a computer to a Group Policy backup file.
• Updating the user interface of the Group Policy management tools.

You may want to apply the settings to the local Group Policy for stand-alone computers. You should update the user interface on the computers you will use to manage Group Policy so that you can view and manage the additional security settings discussed in this Help. The following sections discuss how to use the LPT to accomplish these tasks.

Modifying Local Group Policy

You can use the LPT to modify the local Group Policy of a computer by applying the security settings included in the GPOs described earlier. The LPT will apply the security setting values recommended in this Help to modify the local policy. The tool does this by importing the settings from a GPO backup into the local Group Policy. Use the SCM tool to generate the GPO backup for the desired baseline.

To apply a GPO backup file to the local Group Policy 

1. Log on as an administrator.
2. On the computer, click Start, click All Programs, and then click LocalGPO.
3. Right-click LocalGPO Command Line, and then click Run as administrator to open a command prompt with full administrative privileges.

   Note   If prompted for logon credentials, type your user name and password, and then press ENTER.

4. At the command prompt, type cscript LocalGPO.wsf /Path:<path> and then press ENTER where <path> is the path to the GPO backup.
5. Completing this procedure modifies the local security policy settings using the values included in the GPO backup. You can use GPEdit.msc to review the configuration of the local Group Policy on your computer.

To restore local Group Policy to the default settings

1. Log on as an administrator.
2. On the computer, click Start, click All Programs, and then click LocalGPO.
3. Right-click LocalGPO Command Line, and then click Run as administrator to open a command prompt with full administrative privileges.

   Note   If prompted for logon credentials, type your user name and password, and then press ENTER.

4. At the command prompt, type cscript LocalGPO.wsf /Restore, and then press ENTER.

Completing this procedure restores all local policy settings to their default values.

Exporting Local Group Policy to a GPO Backup File

You can use LPT to export a computer’s local Group Policy to a GPO backup file, which you can than apply to the local Group Policy of other computers or import into Active Directory.

To export local Group Policy to a GPO backup file 

1. Log on as an administrator.
2. On the computer, click Start, click All Programs, and then click LocalGPO.
3. Right-click LocalGPO Command Line, and then click Run as administrator to open a command prompt with full administrative privileges.

   Note   If prompted for logon credentials, type your user name and password, and then press ENTER.

4. At the command prompt, type cscript LocalGPO.wsf /Path:<path> /Export and then press ENTER where <path> is the path to the GPO backup.
5. Completing this procedure exports all local security policy settings to a GPO backup.

Updating the Security Configuration Editor User Interface

The solution presented in this guidance uses GPO settings that do not display in the standard user interface (UI) for the GPMC or the Security Configuration Editor (SCE) tool. These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance.

For this reason, you need to extend these tools so that you can view the security settings and edit them as required. To accomplish this, the LPT automatically updates your computer while it creates the GPOs. Use the following procedure to update the SCE on the computers where you plan to manage the GPOs created with the SCM tool.

To modify the SCE to display MSS settings

1. Ensure that you have met the following prerequisites:
   • ·      The computer is joined to the domain using Active Directory where you created the GPOs.
   • ·      The SCM tool is installed.
2. Log on as an administrator.
3. On the computer, click Start, click All Programs, and then click LocalGPO.
4. Right-click LocalGPO Command Line, and then click Run as administrator to open a command prompt with full administrative privileges.

   Note   If prompted for logon credentials, type your user name and password, and then press ENTER.

5. At the command prompt, type cscript LocalGPO.wsf /ConfigSCE and then press ENTER.

   Note   This script only modifies SCE to display MSS settings. This script does not create GPOs or OUs.

The following procedure removes the additional MSS security settings, and then resets the SCE tool to the default settings.

To reset the SCE tool to the default settings

1. Log on as an administrator.
2. On the computer, click Start, click All Programs, and then click LocalGPO.
3. Right-click LocalGPO Command Line, and then click Run as administrator to open a command prompt with full administrative privileges.

   Note   If prompted for logon credentials, type your user name and password, and then press ENTER.

4. At the command prompt, type cscript LocalGPO.wsf /ResetSCE and then press ENTER.

   Note   Completing this procedure reverts the SCE on your computer to the default settings. Any settings added to the default SCE will be removed. This will only affect the ability to view the settings with the SCE. Configured Group Policy settings remain in place.