Hello World,
In the previous post related to MDT and Local GPO, we have explained how to get the tool that would allow you to backup and restore local gpos. We have also briefly described how to use the tool. In this post, we want to demonstrate how we could indeed use and apply local GPOs and integrate them in a MDT task sequence. If you are ready, we can go !
Prepare your Computer with your local GPOs
step 1 – Create your Local GPO
Here, we will have a look at the most common scenario we can encounter inside corporate organizations. In this scenario, we assume that the workstations are not joined into a domain but the IT department still need to have standard configuration of the standalone laptop or workstations. Standard configuration can be achieved via Group Policies. If the machines are joined into the domain, you should not apply local gpo’s given that the Domain GPO will apply and configure the required settings as required.
In our scenario, let’s imagine that the management has decided to block access access to the registry to all users. You will need to configure a local policy for that. To configure this basic local policy, you will need to perform the following actions :
Step 1 – From the start menu, type gpedit.msc. The group policy editor console should open
Step 2 – Expand the User configuration Node->Administrative Templates->System and locate the option “Prevent access to registry editing tools”
Step 3 – Double-click on it and the configuration page will be displayed. Tick the Enabled Radio button and Press OK
click on Picture for better Resolution
Step 4 – Logoff/logon from your machine or from the command prompt type gpupdate /force
Step 5 – Try to open the registry tool (by typing regedit from the start menu) and you should see the popup dialog box stating that you cannot perform this operation.
Click on Picture for better Resolution
Note :
Here, we have configured a user gpo (which will apply to all users that will log into this computer). You can also decide to create computer policies (which will also apply to all users that are login into the workstation.
You can configure additonal settings using the Gpedit.msc tool. For example, we have configured (randomly) the following gpo settings.
Click on Picture for better Resolution
Step 2 – Export (or backup) the local gpos
We assume that you have the localgpo tool already installed on your reference workstation. if not, please read the following post in order to install the necessary tool to import/export the local gpos.
As explained in this post, we can perform an export of the local gpo by using the localgpo tool. Because we want the GPO backup in conjunction with MDT, we will create a GPOPack. To create the GPOPack, you will need to perform the following actions :
Step 1 – Open a command prompt with elevated privilege and browse to the following directory c:\Program files (x86)\LocalGPO\
Step 2 – To create a GPOpack that would be useable with MDT, type the following command in your command prompt
cscript localgpo.wsf /Path:<%location_for_GPO_pack%> /Export /GPOPack:<%Name of the GPOPack%>
Click on Picture for better Resolution
Step 3 – Go to the location where you have decided to store your GPOPack and you should see something similar to this inside the folder
Click on Picture for better Resolution
Step 4 – You can manually test your GPOpack to ensure that the GPO Settings are the one you need by running the following command
cscript <%Location_GPoPack%>\Gpopack.wsf
You will be see a dialog box asking you if you are sure you want to apply the GPOpack. Press Yes to apply them
Click on Picture for better Resolution
To get rid of the dialog box (which could be useful for automate the process), you would simply append the /silent switch (i.e. cscript <%Location_GPoPack%>\Gpopack.wsf /silent)
Click on Picture for better Resolution
At this stage, you should be quite ready to move this GPOpack to your MDT Server and integrate it into your task sequence. This is exactly the next step will go through….
Step 3 – Configure your MDT To process your GPOPacks
The first thing you will need to do is copy the GPOPack you have created in the correct location. By default, MDT already comes with some GPOPacks and they are stored in the following location : <%DriveLetter%>\DeploymentShare\Templates\GPOPacks
Click on Picture for better Resolution
You will have to copy your Custom GPOPack into this location in order to make it available to the MDT Server. In our case, we have created 2 additional GPOPacks.
Click on Picture for better Resolution
The final step before deploying our build is to let know MDT server that a custom GPOPack is available. To let know MDT that he needs to use the custom GPOPack, you will simply add a small line in the Customsettings.ini file. You will perform the following actions
Step 1 – Open youre deployment workbench console
Step 2 – right-click on your Deployment Share->select Properties
Step 3 – In the properties page, click on the rules tab
step 4 – To have MDT using your custom GPOPack, add the following line GPOPack=<%Name of your GPOPack%>
Click on Picture for better Resolution
Step 5 – By default, MDT Tasks templates will already include a Apply GPOPack task but it worth checking.
Click on Picture for better Resolution
At this stage, you are done ! You have just configured your MDT server to apply custom local GPO during your deployment
Special Case – Internet Kiosk Configuration
So far, we have seen a standard scenario where GPO are the same for all users. If you remember,in this post, I was working with some friends in order to deploy and configure an Internet Kiosk computer. To meet the requirements, we have configured the computer by using Multiple Local GPO (MLGPO). the MLGPO allows you to apply different GPO settings for different users. In our scenario, local administrators would need to have full access to the desktop environment and no restrictions on the administrative tools. On the other hand, standard users would have only accessed to a limited set of functionalities. Because we were building up an internet kiosk, a standard user would when login into the machine would have Internet Explorer defined as a standard desktop shell and no access to the control panel, command prompt, registry tools,….. The standard user would have really limited functionalities.
Multiple Local GPO
Normally, to configure MLGPO, you will need to configure GPO for standards users and GPO for administrators users. To configure MLGPO, you will need to perform the following actions;
1. From the start menu, type mmc.exe (with elevated privileges)
Click on Picture for better Resolution
2. in the mmc.exe console menu, select file ->Add/Remove Snap-in
Click on Picture for better Resolution
3. Select the Group Policy editor object and press the Add Button
Click on Picture for better Resolution
4. In the welcome Group Policy Wizard Policy, click on the Browse
Click on Picture for better Resolution
5. In the Browse page, click on Users tab and select the user or the group of users you want to apply the GPO.
Click on Picture for better Resolution
6. Press OK and you will see you gpo console where you can apply user settings to the group of users you have selected
Click on Picture for better Resolution
At this stage, you can test and configure your settings as required
GPOPacks and MLGPO
Here comes the tricky part. !!
The localGPO tool allow you to combine GPOPack and MLGPO settings by using the switch /MLGPO. However, the way you backup your GPO is a little bit tricky. A lot of people make the same mistake (and it did as well in the beginning). You configure all your MLGPOs, you check that everything is working as expected and you are ready to backup your localGPO. When you have created you GPOPack, and apply this one, you will notice that the MLGPO settings are not applied.
This seems to be by design. The localGPo tool allows you to backup only standard GPOs (no the MLGPO). So, how do you do if you have to define computer settings and MLGPO settings and want to use them in a task sequences ? The answer is that you will need to create multiple GPOPacks.
- If you have to configure computer settings, you set your local GPO settings for the computer and then you run the localGPO tool to create the GPOPack for the computer part
- If you have to create a GPO that applies only to non-admin users, you configure your user settings GPO on the machine. When ready, create your GPOPack to create the user settings part. You have to create the user settings using the standard gpedit.msc console (and not the one dedicated to the Non-admin users) because the localgpo tool will detect the gpo settings and will be able to create the gpopack. If you configure your non-admin settings via the MLGPO (see section above Multiple Local GPO), the tool will not detect GPO settings and you GPOPack will be empty
The other issue you will encounter is the task sequence. As far as I know, you can only specify one GPOPack entry in your customsettings.ini file. To overcome this “limitation”, we have a lot of options. We could modity the ZtIApplyLocalGPO.wsf script to check for multiple GPOPack entries or you can simply decided not to use the default Apply local GPO Pack steps in the task sequence and create your own. This is what we did. Because we didn’t have much time, we have simply create a new “Run command Line” Step in the task sequence and create a batch file that would allow us to run mutliple GPOPack.
Click on Picture for better Resolution
The content of the batch file look like this. The trick here is that you have to copy the GPOPacks locally on the machine being deployed. If you don’t, you will get an error message and the GPOPack will not apply as expected.
Click on Picture for better Resolution
Final Notes
We finally were able to configure our Kiosk workstation and have it deployed through MDT and a custom task sequence. In our Kiosk configuration, the command prompt was blocked and some people asked us how we did in order to create the GPOPack. Indeed, if you remember, in order to have a valid GPOPack, we had to configure the GPO settings to be applied to all the users. So, even the administrators would have the restrications applied to their profile. So, how did we do to get the GPOPack created ? We simply created a scheduled task that would run each time a user logs in. This task was executing the command to create the GPOPack. This is how we have created our GPOPack in a restricted environment.
I hope you enjoyed this post and that the information is clear enough to let you play with GPOPack whatever the situation you might encounter.
Till Next time
See ya
First off, thanks for the helpful guide!
However, im running into a problem with my script located in User Config -> Windows Settings -> Scripts -> Logoff. I have a logoff script that i use to restart the computer when a user logs off and it stops working after i apply the GPO pack via MDT. While the script is still there it doesnt trigger when the user logs off. I believe that perhaps the GPO pack is “overwriting” this when the GPO pack is applied during deployment since the script is located on the base image. So my questions are; how can i prevent this from happening? Can i use mdt to add a script to the local gpo? Is there another non-third party solution to restarting a machine when the user logs off? Thanks in advance!
Hello Ryan,
The post explains how to create the Local GPO, how to export GPO and how to apply the gPO pack while deploying images…So, in theory, you should be able to import/export your local GPO and use them in the Task Sequence…
You can use a scheduled task instead of the GPO To reboot the computer when the user logs off…..
If you want to add your local GPO and deploy via MDT, You should follow the following steps
1. deploy a machine
2. apply the GPO you wanna use
3. Export the GPO into a GPOPack
4. Save the GPOPack in your MDT into the correct location
5. Modify customSettings.ini file in order to tell MDT To use your custom GPOPack and not the default ones…
6. Deploy and validate your solution
It looks like you are not applying the correct GPOPack
You can check which GPO applies to your machine by running the RSOP.MSC. If after the deployment, you run the rsop.msc and you do not see your GPOpack settings, this means that you have applied maybe another one or that there is an error in the mdt sequence but you should then see that (error message at the end of mdt wizard)
Hope this help
Till next time
See ya
Hello Griffon,
I am a great fan of your work. I have a question for you. How do I convert a GPO Backup to a GPOPack?
Jesse
Hello Jesse,
I do not know what exaclty you wanna you do but I would first point you to part I of the post (http://c-nergy.be/blog/?p=4298) if you didn’t read it yet.
If you need to perform something more complicated (and I think you do); I would point you to the Security compliance Manager (SCM) whih can be used to import GPO Backup and export them into different formats. I would assume that you can export into local gpo
Give it a try
Thank for the visit and for the positive comments
Till next time
See ya
hello,
I only want to apply gpo setting to test1 user (standard user) I created GPO in (mmc), there are GPO setting for administrator user, when I created GPOback up, I reimaged the system with base operating system , base image has TEST1 user account, I tried to apply the gpo manually but it did not apply. any what am I missing
Hello there,
what’s the command line you are using to export you gpo pack ?
can you try something like
<%path_location%>\gpopack.wsf /Path:%Youpath% /MLGPO:test1
and see if you get your settings exported and imported correctly
hope this help
till next time
see ya
Hi Griffon,
Thanks a lot for this post. It work fine for everything except Logon/Logoff Script. It looks like as well when we run localgpo.wsf /restore on a machine it is not removing the local script when we add it manually.
So this script is not backing up logon/logoff script? Have you any other idea to do that in a MDT TS?
Thanks in Advance,
Simon
Hello Simon,
Little bit busy right now… but let start by gathering some info…
which script are your referring to (the one you add manually) ? can you provide a more detailed description of the issue you are having…
are you configuring local gpo which includes logon/logoff script and they are not backed up and restored ? or is it something else
waiting for your feedback
Till next time
See ya
Hi! Thanks for you great tutorial. One thing I dont get is how you manage to have different GPO Packs for different Task Squences. How does MDT know which GPO pack I want it to use when I deploy Windows 10 and which to apply when I deploy Windows 7?
HEllo KArl,
This is part of the magic of MDT. MDT will apply GPO pack based on the operating system that has been detected.
If you need to apply your own GPO Packs (and not using the default one), you will then to specify via rules (like described in the post) which one you want to install
Using MDT, you can customize actions to be performed. IF you have complex scenario, you can create a script that check for OS and then apply the custom GPO Pack you want to use it
Hope this help
till next time
See ya