• Article

Tip: Use Group Policy and the Scwcmd Tool to Deploy Security Policies

In an organization with many computers, you probably won’t want to apply security policy to each computer separately. You may want to apply security policies through Group Policy, and you may want to create computer OUs for this purpose.

Once you’ve created the necessary OUs, you can use the transform command in the Scwcmd utility to create a GPO that includes the settings in the security policy (and any security templates attached to the policy). You can then deploy the settings to computers by linking the new GPO to the appropriate OU or OUs.

Use the following syntax to transform a security policy:

scwcmd transform /p:FullFilePathToSecurityPolicy /g:GPOName

Tips RSS Feed

Subscribe to the TechNet Magazine Tips RSS feed.

Here, FullFilePathToSecurityPolicy will be the full file path to the security policy’s .xml file and GPOName will be the display name for the new GPO. For example:

scwcmd transform /p:"c:\users\wrs\documents\fspolicy.xml"
/g:"FileServer GPO"

When you’ve create the GPO, you can link the GPO to by following these steps:
1. In the GPMC, select the OU you want to work with. In the right pane, the Linked Group Policy Objects tab shows the GPOs that are currently linked to the selected OU (if any).
2. Right-click the OU to which you want to link the previously created GPO, and then select “Link an Existing GPO”. In the Select GPO dialog box, select the GPO you want to link to, and then click OK.
3. When Group Policy is refreshed for computers in the applicable OU, the policy settings in the GPO are applied.

Because you’ve created a new GPO and then linked the GPO to the appropriate level in the Active Directory structure, you can recover the computers to their original state by removing the link to the GPO. To remove a link to a GPO, follow these steps:
1. In the GPMC, select and then expand the OU you want to work with. In the right pane, the Linked Group Policy Objects tab shows the GPOs that are currently linked to the selected OU.
2. Right-click the GPO. On the shortcut menu, the Link Enabled option should have a checkmark to show it is enabled. Clear this option and remove the link.

From the Microsoft Press book Microsoft Windows Server 2008 Administrator’s Pocket Consultant by William R. Stanek.

Looking for More Tips?

For more Windows Server tips, visit the TechNet Magazine Windows Server 2008 Tips page.

For more Tips on other products, visit the TechNet Magazine Tips index.