MDT 2012 – Apply Local GPO through Task sequence – Part II

MLGPOLogo

Hello World,

In the previous post related to MDT and Local GPO, we have explained how to get the tool that would allow you to backup and restore local gpos.  We have also briefly described how to use the tool.  In this post, we want to demonstrate how we could indeed use and apply local GPOs and integrate them in a MDT task sequence.  If you are ready, we can go !

Prepare your Computer with your local GPOs

step 1 – Create your Local GPO

Here, we will have a look at the most common scenario we can encounter inside corporate organizations.  In this scenario, we assume that the workstations are not joined into a domain but the IT department still need to have standard configuration of the standalone laptop or workstations.  Standard configuration can be achieved via Group Policies.  If the machines are joined into the domain, you should not apply local gpo’s given that the Domain GPO will apply and configure the required settings as required.

In our scenario, let’s imagine that the management has decided to block access access to the registry to all users.  You will need to configure a local policy for that.  To configure this basic local policy, you will need to perform the following actions :

Step 1 –  From the start menu, type gpedit.msc.  The group policy editor console should open

Step 2 – Expand the User configuration Node->Administrative Templates->System and locate the option “Prevent access to registry editing tools” 

Step 3 –  Double-click on it and the configuration page will be displayed.  Tick the Enabled Radio button and Press OK

localgpo11

click on Picture for better Resolution

Step 4 – Logoff/logon from your machine or from the command prompt type gpupdate /force

Step 5 – Try to open the registry tool (by typing regedit from the start menu) and you should see the popup dialog box stating that you cannot perform this operation.

localgpo12

Click on Picture for better Resolution

 

Note :

Here, we have configured a user gpo (which will apply to all users that will log into this computer). You can also decide to create computer policies (which will also apply to all users that are login into the workstation.

 

You can configure additonal settings using the Gpedit.msc tool.  For example, we have configured (randomly) the following gpo settings.

allgpo

Click on Picture for better Resolution

 

Step 2 – Export (or backup) the local gpos

We assume that you have the localgpo tool already installed on your reference workstation.  if not, please read the following post in order to install the necessary tool to import/export the local gpos.

As explained in this post, we can perform an export of the local gpo by using the localgpo tool.   Because we want the GPO backup in conjunction with MDT, we will create a GPOPack.  To create the GPOPack, you will need to perform the following actions :

Step 1 – Open a command prompt with elevated privilege and  browse to the following directory c:\Program files  (x86)\LocalGPO\

Step 2 – To create a GPOpack that would be useable with MDT, type the following command in your command prompt

cscript localgpo.wsf /Path:<%location_for_GPO_pack%>  /Export /GPOPack:<%Name of the GPOPack%>

localgpo13

Click on Picture for better Resolution

Step 3 –  Go to the location where you have decided to store your GPOPack and you should see something similar to this inside the folder

r_localgpo3

Click on Picture for better Resolution

Step 4 –  You can manually test your GPOpack to ensure that the GPO Settings are the one you need by running the following command

cscript <%Location_GPoPack%>\Gpopack.wsf

You will be see a dialog box asking you if you are sure you want to apply the GPOpack.  Press Yes to apply them

r_localgpo1

Click on Picture for better Resolution

To get rid of the dialog box (which could be useful for automate the process), you would simply append the /silent switch (i.e. cscript <%Location_GPoPack%>\Gpopack.wsf /silent)

  r_localgpo2

Click on Picture for better Resolution

At this stage, you should be quite ready to move this GPOpack to your MDT Server and integrate it into your task sequence.  This is exactly the next step will go through….

 

Step 3 – Configure your MDT To process your GPOPacks

The first thing you will need to do is copy the GPOPack you have created in the correct location.  By default, MDT already comes with some GPOPacks and they are stored in the following location :  <%DriveLetter%>\DeploymentShare\Templates\GPOPacks

lgpo4

Click on Picture for better Resolution

You will have to copy your Custom GPOPack into this location in order to make it available to the MDT Server.  In our case, we have created 2 additional GPOPacks.

lgpo5

Click on Picture for better Resolution

The final step before deploying our build is to let know MDT server that a custom GPOPack is available.  To let know MDT that he needs to use the custom GPOPack, you will simply add a small line in the Customsettings.ini file.   You will perform the following actions

Step 1 – Open youre deployment workbench console

Step 2 – right-click on your Deployment Share->select Properties

Step 3 – In the properties page, click on the rules tab

step 4 – To have MDT using your custom GPOPack, add the following line GPOPack=<%Name of your GPOPack%>

lgpo6

Click on Picture for better Resolution

Step 5 – By default, MDT Tasks templates will already include a Apply GPOPack task but it worth checking.

 

lgpo7

Click on Picture for better Resolution

At this stage, you are done !  You have just configured your MDT server to apply custom local GPO during your deployment

Special Case – Internet Kiosk Configuration

So far, we have seen a standard scenario where GPO are the same for all users.  If you remember,in this post, I was working with some friends in order to deploy and configure an Internet Kiosk computer.  To meet the requirements,  we have configured the computer by using Multiple Local GPO (MLGPO).  the MLGPO allows you to apply different GPO settings for different users.  In our scenario, local administrators would need to have full access to the desktop environment and no restrictions on the administrative tools. On the other hand, standard users would have only accessed to a limited set of functionalities. Because we were building up an internet kiosk, a standard user would when login into the machine would have Internet Explorer defined as a standard desktop shell and no access to the control panel, command prompt, registry tools,…..  The standard user would have really limited functionalities.

Multiple Local GPO

Normally, to configure MLGPO, you will need to configure GPO for standards users and GPO for administrators users.  To configure MLGPO, you will need to perform the following actions;

1. From the start menu, type mmc.exe (with elevated privileges)

r_localgpo10

Click on Picture for better Resolution

2. in the mmc.exe console menu, select file ->Add/Remove Snap-in

r_localgpo11

Click on Picture for better Resolution

3. Select the Group Policy editor object and press the Add Button

r_localgpo12

Click on Picture for better Resolution

4. In the welcome Group Policy Wizard Policy, click on the Browse

r_localgpo13

Click on Picture for better Resolution

5. In the Browse page, click on Users tab  and select the user or the group of users you want to apply the GPO.

r_localgpo14

Click on Picture for better Resolution

6. Press OK and you will see you gpo console where you can apply user settings to the group of users you have selected  

r_localgpo15

Click on Picture for better Resolution

At this stage, you can test and configure your settings as required

GPOPacks and MLGPO

Here comes the tricky part.  !!

The localGPO tool allow you to combine GPOPack and MLGPO settings by using the switch /MLGPO.  However, the way you backup your GPO is a little bit tricky.  A lot of people make the same mistake (and it did as well in the beginning).  You configure all your MLGPOs, you check that everything is working as expected and you are ready to backup your localGPO.   When you have created you GPOPack, and apply this one, you will notice that the MLGPO settings are not applied.

This seems to be by design.  The localGPo tool allows you to backup only standard GPOs (no the MLGPO).  So, how do you do if you have to define computer settings and MLGPO settings and want to use them in a task sequences ?  The answer is that you will need to create multiple GPOPacks.  

  • If you have to configure computer settings, you set your local GPO settings for the computer and then you run the localGPO tool to create the GPOPack for the computer part
  • If you have to create a GPO that applies only to non-admin users, you configure your user settings GPO on the machine. When ready, create your GPOPack to create the user settings part.  You have to create the user settings using the standard gpedit.msc console (and not the one dedicated to the Non-admin users) because the localgpo tool will detect the gpo settings and will be able to create the gpopack.  If you configure your non-admin settings via the MLGPO (see section above  Multiple Local GPO), the tool will not detect GPO settings and you GPOPack will be empty

The other issue you will encounter is the task sequence.  As far as I know, you can only specify one GPOPack entry in your customsettings.ini file.  To overcome this “limitation”, we have a lot of options.  We could modity the ZtIApplyLocalGPO.wsf script to check for multiple GPOPack entries or you can simply decided not to use the default Apply local GPO Pack steps in the task sequence and create your own.  This is what we did.  Because we didn’t have much time, we have simply create a new “Run command Line” Step in the task sequence and create a batch file that would allow us to run mutliple GPOPack.

lgpo9

Click on Picture for better Resolution

 

The content of the batch file look like this.  The trick here is that you have to copy the GPOPacks locally on the machine being deployed.  If you don’t, you will get an error message and the GPOPack will not apply as expected.

 

lgpo8

Click on Picture for better Resolution

 

 

Final Notes

We finally were able to configure our Kiosk workstation and have it deployed through MDT and a custom task sequence.  In our Kiosk configuration, the command prompt was blocked and some people asked us how we did in order to create the GPOPack.  Indeed, if you remember, in order to have a valid GPOPack, we had to configure the GPO settings to be applied to all the users. So, even the administrators would have the restrications applied to their profile.  So, how did we do to get the GPOPack created ?  We simply created a scheduled task that would run each time a user logs in. This task was executing the command to create the GPOPack.  This is how we have created our GPOPack in a restricted environment.

I hope you enjoyed this post and that the information is clear enough to let you play with GPOPack whatever the situation you might encounter.

Till Next time

See ya

 

 

 

 

 

 

 

10 thoughts on “MDT 2012 – Apply Local GPO through Task sequence – Part II

  1. First off, thanks for the helpful guide!
    However, im running into a problem with my script located in User Config -> Windows Settings -> Scripts -> Logoff. I have a logoff script that i use to restart the computer when a user logs off and it stops working after i apply the GPO pack via MDT. While the script is still there it doesnt trigger when the user logs off. I believe that perhaps the GPO pack is “overwriting” this when the GPO pack is applied during deployment since the script is located on the base image. So my questions are; how can i prevent this from happening? Can i use mdt to add a script to the local gpo? Is there another non-third party solution to restarting a machine when the user logs off? Thanks in advance!

  2. Hello Ryan,
    The post explains how to create the Local GPO, how to export GPO and how to apply the gPO pack while deploying images…So, in theory, you should be able to import/export your local GPO and use them in the Task Sequence…
    You can use a scheduled task instead of the GPO To reboot the computer when the user logs off…..

    If you want to add your local GPO and deploy via MDT, You should follow the following steps
    1. deploy a machine
    2. apply the GPO you wanna use
    3. Export the GPO into a GPOPack
    4. Save the GPOPack in your MDT into the correct location
    5. Modify customSettings.ini file in order to tell MDT To use your custom GPOPack and not the default ones…
    6. Deploy and validate your solution

    It looks like you are not applying the correct GPOPack
    You can check which GPO applies to your machine by running the RSOP.MSC. If after the deployment, you run the rsop.msc and you do not see your GPOpack settings, this means that you have applied maybe another one or that there is an error in the mdt sequence but you should then see that (error message at the end of mdt wizard)

    Hope this help
    Till next time

    See ya

  3. Hello Griffon,

    I am a great fan of your work. I have a question for you. How do I convert a GPO Backup to a GPOPack?

    Jesse

  4. Hello Jesse,

    I do not know what exaclty you wanna you do but I would first point you to part I of the post (http://c-nergy.be/blog/?p=4298) if you didn’t read it yet.
    If you need to perform something more complicated (and I think you do); I would point you to the Security compliance Manager (SCM) whih can be used to import GPO Backup and export them into different formats. I would assume that you can export into local gpo

    Give it a try
    Thank for the visit and for the positive comments

    Till next time
    See ya

  5. hello,
    I only want to apply gpo setting to test1 user (standard user) I created GPO in (mmc), there are GPO setting for administrator user, when I created GPOback up, I reimaged the system with base operating system , base image has TEST1 user account, I tried to apply the gpo manually but it did not apply. any what am I missing

  6. Hello there,

    what’s the command line you are using to export you gpo pack ?
    can you try something like

    <%path_location%>\gpopack.wsf /Path:%Youpath% /MLGPO:test1

    and see if you get your settings exported and imported correctly

    hope this help
    till next time
    see ya

  7. Hi Griffon,

    Thanks a lot for this post. It work fine for everything except Logon/Logoff Script. It looks like as well when we run localgpo.wsf /restore on a machine it is not removing the local script when we add it manually.

    So this script is not backing up logon/logoff script? Have you any other idea to do that in a MDT TS?

    Thanks in Advance,

    Simon

  8. Hello Simon,

    Little bit busy right now… but let start by gathering some info…
    which script are your referring to (the one you add manually) ? can you provide a more detailed description of the issue you are having…
    are you configuring local gpo which includes logon/logoff script and they are not backed up and restored ? or is it something else

    waiting for your feedback
    Till next time
    See ya

  9. Hi! Thanks for you great tutorial. One thing I dont get is how you manage to have different GPO Packs for different Task Squences. How does MDT know which GPO pack I want it to use when I deploy Windows 10 and which to apply when I deploy Windows 7?

  10. HEllo KArl,

    This is part of the magic of MDT. MDT will apply GPO pack based on the operating system that has been detected.
    If you need to apply your own GPO Packs (and not using the default one), you will then to specify via rules (like described in the post) which one you want to install
    Using MDT, you can customize actions to be performed. IF you have complex scenario, you can create a script that check for OS and then apply the custom GPO Pack you want to use it

    Hope this help
    till next time
    See ya

Leave a Reply