How to generate a custom LGPO based on FDCC
One of my customers requires additional security settings beyond the OMB-mandated Federal Desktop Core Configuration (FDCC) and I need to apply the settings as local policy during the MDT build process so that disconnected systems still get a baseline of policy. So here's the process I used to generate the policy objects and then apply them to the build.
- Obtain the current version of Set_FDCC_LGPO.exe from FDCC Team Blog.
- Install a generic build of Windows Vista on a test workstation, and logon as the local Administrator.
- Copy Set_FDCC_LGPO.exe to C:\Windows\security.
- Run the following command (mind the wrap):
start /wait C:\Windows\security\Set_FDCC_LGPO.exe /sec /log C:\Windows\security\logs\Set_FDCC_LGPO.log /error C:\Windows\security\logs\Set_FDCC_LGPO-error.log /boot
The system will automaticlaly restart when the process completes (it's quick).
- Logon as renamed_admin with the same password as before.
- Copy GPOAccelerator to C:\Windows\security\GPOAccelerator.
- Elevate a command prompt and run the following command (mind the wrap):
cscript "C:\Windows\security\GPOAccelerator\Security Group Policy Objects\GPOAccelerator.wsf" /ConfigSCE
- Run gpedit.msc. Manually verify all current FDCC settings and apply all custom settings.
- Right-click Computer Configuration\Windows Settings\Security Settings and select Export Policy. Save as C:\Windows\security\templates\Local_Policy_20080228.inf.
- Run the following commands:
robocopy C:\Windows\System32\GroupPolicy C:\Windows\security\LGPO *.* /s /e
attrib LGPO -h
- Copy CustomApplyLGPO-v3.cmd (see attached, rename) and CustomSetAuditPolicy-v2.cmd to \\mdtsrv\Distribution\Scripts.
- Copy LGPO and templates folders from C:\Windows\security to \\mdtsrv\Distribution\$OEM$\$$\security.
- Add the following to the appropriate task sequence:
Type: Run Command Line
Name: Custom Set Audit Policy
Command Line: cmd /c "%SCRIPTROOT%\CustomSetAuditPolicy-v2.cmd" > C:\Windows\security\logs\CustomSetAuditPolicy.log 2>&1
Type: Run Command Line
Name: Custom Apply LGPO
Command Line: cmd /c "%SCRIPTROOT%\CustomApplyLGPO-v3.cmd > C:\Windows\security\logs\CustomApplyLGPO.log 2>&1
If anyone can think of an easier/faster way to do any of the above, I welcome your comments.