Use Script To Edit Local Group Policy Windows Server 2012

automationgroup-policyhardeninglocalwindows-server-2012-r2

I'm hardening a Windows Server 2012 R2 machine for serving secure web pages and following a guide that lays out multiple Local Group Policy Settings and Registry Settings.

When researching how to automate this process I only find ways to export and import Group Policy using Powershell as follows:
https://technet.microsoft.com/en-us/library/ee461027.aspx

This server machine is not joined to a domain and doesn't have Group Policy Management Console installed. Unfortunately, I have not found a resource to use an automatic method (script, code) to change Local Group Policy settings such as:

Local Group Policy Editor -> Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Global Object Access Auditing -> Defined this Policy -> Configure

Local Group Policy Editor -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network access: Do not allow anonymous enumeration of SAM accounts and shares

My end goal is to create a process or script that can set around 100 different Registry Settings and Local Group Policy Settings on a server machine in order to lock it down. Avoiding manually configuring each one.

Best Answer

I have been able to research and find what I need on this goal! The resource I found the best direction from was as follows:

http://www.itninja.com/blog/view/using-secedit-to-apply-security-templates

The local group policy settings and security settings can be transferred in a couple of steps:

1. Security Settings:

Right click Security Settings in Local Group Policy Editor (Edit Group Policy) and select Export Policy... Save the .inf file and transfer to the machine you wish to use the same settings. On the new machine, open a command prompt and use the secedit command

secedit /configure /db c:\windows\security\local.sdb /cfg {.\path\to.inf}

Review any errors that come back, I was dealing with user accounts trying to be set for permissions that did not exist on the new machine.

2. The rest of Local Group Policy

Locate the %systemroot%\system32\grouppolicy\ hidden folder and copy the sub folders to the target machine in the same location.

Open a command prompt and use

gpupdate /force

3. The remains

For the miscellanous I was able to use powershell commands to add or edit registry keys:

Add:

New-Item -Path HKCU:\Software -Name hsg –Force

Edit:

PS C:> Push-Location

PS C:> Set-Location HKCU:\Software\hsg

PS HKCU:\Software\hsg> Set-ItemProperty . newproperty "mynewvalue"

Related Topic