Apply_LGPO_Delta 1.0: utility to apply custom changes to Local Policy

Apply_LGPO_Delta updated, v1.01

Federal Desktop Core Configuration — Thu, 19 Mar 2009 08:27:19 GMT

Apply_LGPO_Delta, a utility for automating the management of local group policy, is updated with a minor fix to prevent sharing-violation errors. The set of "starter" files is also updated.

re: Apply_LGPO_Delta 1.0: utility to apply custom changes to Local Policy

rliepins — Wed, 11 Feb 2009 19:32:33 GMT

Our Apply_LGPO_Delta application repeatedly produces the following error in the error log file:

Policy save failed; error code 0x80070020

The log file itself ends with the following:

----Un-initialize configuration engine...

SECEDIT.EXE exited with exit code 3

Any clues? It sounds similar to the errors the old version of Set_FDCC_LGPO was receiving.

Any help would be most appreciated.

[Aaron Margosis] Apologies for the delay. Apply_LGPO_Delta has now been updated with the same fix: http://blogs.technet.com/fdcc/pages/LGPO-Utilities.aspx

re: Apply_LGPO_Delta 1.0: utility to apply custom changes to Local Policy

rliepins — Tue, 09 Sep 2008 07:18:58 GMT

Another option to this is that the command scripts we created also included a command line ntbackup line to back up the system state. This could also be used to revert a system back to pre FDCC settings.

[Aaron Margosis] So... for Set_FDCC_LGPO there are two setting types that are applied:

security settings: these can be edited using secpol.msc and are applied to the system by Set_FDCC_LGPO using secedit.exe; and
true policy settings: these can be edited using gpedit.msc, and are applied to the system by Set_FDCC_LGPO using policy APIs.

To revert the security settings, which generally don't have a "not configured" that you can roll back to, the best approximation to a rollback is to run secedit.exe before applying FDCC settings to get a snapshot of the current system; then use that later to restore settings.

To revert the policy settings, simply set all the applied settings back to "not configured". One way to do that is to run Set_FDCC_LGPO with the /log option, then take the /log output and change it into an input file for Apply_LGPO_Delta, where all the settings that are applied get deleted.

Note that this will only be an approximation of a rollback, not a 100% rollback, and that it doesn't touch file ACL or service configuration settings.

re: Apply_LGPO_Delta 1.0: utility to apply custom changes to Local Policy

rliepins — Tue, 09 Sep 2008 07:16:06 GMT

I have been working extensively in the virtual environment for testing. It has been the best thing for this.

As for what has been created, the scripts I created were to automate the implementation of FDCC with our line office "exceptions" which are temporary at best, anyway. THe scripts to remove all the settings were worked on for those field systems that don't have any local IT support and give the end user a troubleshooting technique to revert their system back to default settings.

As I don't have enough expertise to take a snapshot of all settings, put them in a template file and revert to those settings, I did the research necessary to try to revert to as close as possible to XP default settings. It was a long process.

But these may be of use to people - to get a good understanding of what is happening under the hood. I'd still be willing to let everyone see what I set up. Plus it would help to get feedback. I just can't do it on a personal blog. I am sure there are some sort of federal ethics rules I would be bending.

How about setting up new blog entries to go over specific settings for the registry based template files and security templates. We could discuss various aspects of what settings could be reverted to, etc.

re: Apply_LGPO_Delta 1.0: utility to apply custom changes to Local Policy

tardboy21 — Tue, 09 Sep 2008 05:31:40 GMT

That is not the purpose, nor target market of the document proposed. It is simply for testing purposes. Also, no two applications are exactly the same. Looking at work someone else has done can help if a problem arises in the future with the FDCC (as many have already), and allow a quicker solution than having to wipe a system and re-image.

While most tools on this website are offered on the "AS-IS" basis, it had become my impression the objective of the forum was to offer better "understanding" through a variety of ways. Applying a different INF file and comparing would certainly help me as well as at least one other (Singood).

[Aaron Margosis] As I understood it, the request was for help composing scripts/templates to "undo" application of FDCC settings. In my work I strive for results that are accurate and complete, and in this case that is difficult to achieve at best. As I mentioned, IMHO there are better options. Using virtual machines with "undo disks" is actually faster than running "undo" scripts and gives you much cleaner results.

re: Apply_LGPO_Delta 1.0: utility to apply custom changes to Local Policy

Aaron Margosis — Tue, 09 Sep 2008 05:05:13 GMT

[Aaron Margosis] My apologies for delayed response. At this point we haven't opted to post anything that claims to revert FDCC settings to defaults, because it is difficult to assure that you are getting 100% reversion to pre-application state. This is especially true with the file ACL edits that FDCC applies on XP systems, as well as with security options.

The way I personally prefer to work for all my development and testing purposes is to use virtual machine technology (such as Virtual PC, Virtual Server, or Hyper-V) with "undo disks". This gives me guaranteed 100% reversion with no side effects from previous testing. On physical (non-virtual) systems, I prefer just wiping/loading from a well-defined repeatable deployment image.

For production systems, I don't understand why you would ever want to completely revert to defaults after applying FDCC settings.

re: Apply_LGPO_Delta 1.0: utility to apply custom changes to Local Policy

tardboy21 — Tue, 09 Sep 2008 04:11:41 GMT

if you would like rliepins, attach the documents and send them to my public profile email, and I can upload them to some web space for you an post a link. Just be sure you give me permission to distribute them in the email, and I will post the link here.

re: Apply_LGPO_Delta 1.0: utility to apply custom changes to Local Policy

rliepins — Mon, 08 Sep 2008 17:34:42 GMT

I tried contacting him regarding attaching the templates, but have heard no response back.

re: Apply_LGPO_Delta 1.0: utility to apply custom changes to Local Policy

Singood — Sat, 06 Sep 2008 00:13:18 GMT

Attachments might be an option - although I don't readily see how to do so...maybe A. Margosis might chime in and assist with providing all of us the ability to check out the rollback templates that rliepins developed?

re: Apply_LGPO_Delta 1.0: utility to apply custom changes to Local Policy

tardboy21 — Fri, 05 Sep 2008 21:04:01 GMT

You could post it on another URL and then post the link here. I would be very interested in taking a look at and testing the files a little myself.