none
Forcing Group Policy Objects to be applied on local Accounts RRS feed

  • Question

  • Hy there,

    I'm working for a company with multipe branches. Some of our Employees have Laptops for Internet browsing and Office, but most of them work on our Terminalservers. The Networkconnection to the branch Offices is not the best and most Laptos are shared, so we dont want our users to log on to them with their Domain-Account and syncing their Profile's. The Laptops are joined into the Domain, so we are able to configure Setting via GPO's. But, there is the weak point. We are only able to force Settings for the Computer. The settings for Users are ignored, even if the policy is set to everyone.

    I dont want to take every Laptop and modify the local security settings local. I want a automated Solution!!

    I found a Blog abut a Microsoft Tool, that is able to import a GPO-Backup to the local Security. It is Called LGPO.exe and is Part of the Microsoft Security Compliance Toolkit. I placed a Backup of two GPO's to a local folder (configuration for Office and Browser) and run the tool [LGPO.exe /g <Path to GPO-Backup> TADAA! the GPO-Settings where forced to all local users. Ok, lets take it one step further. I created a Share on our DFS and placed the GPO-Backups in it. Then i created a new GPO, witch creates a scheduled Task on each Laptop. The scheduled Task is configured to run as System (use "%LocalDomain%\System" as user in the GPO) on "System Startup". The ComputerAccount is in the domain, so you dont need to configute Username and Password to access the share J  (I build in a 1 Minute delay for the Network to ensure Network is present and also marked the "run only if network is present" Option. This will start the Command and Sync my GPO-Backup to the local secutity Settings.

    So after all, all i need to do is to copy a backup of my GPO's in the Share if the GPO is changed. You are able to create a share for each GPO you need, or place them all in one Folder (depends on what Setting you want to deploy).  The best of all is, if a User logs on with Domain-User Account and has different Settings configured, don’t worry! Domain-Settings will be enforced and overwrite local settings, but you have a configured user if no Domain-User is logged on.

    Pleas excuse my english, i did my best. Cheers!

    Link to Blog and Microsoft Security Compliance Toolkit

     https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/

    https://www.microsoft.com/en-us/download/details.aspx?id=55319

    Saturday, July 6, 2019 9:47 PM

Answers