As the February deadline approaches for the implementation of FDCC settings approaches, management of the FDCC Group Policy Objects (GPOs) is a common question Federal IT professionals (IT Pros) have today. FDCC GPO management spans a few areas, including settings review, initial import and linking, and ongoing import and linking. NIST and OMB have taken a very simple, systematic approach by providing exported GPOs with all of the FDCC settings included in them. This removes the need for Federal organizations to go through the previously cumbersome process of reading several hundred pages of settings and definitions and attempting to craft their own GPOs to contain these settings. This significantly reduces the time to implement and human error often associated with implementing any standards in Group Policy. This leaves many IT Pros with the question – How do I get these backed up GPOs into my organization’s Active Directory environment? First, let’s look at what we have.
Currently, when you download the quarterly zip file containing the GPOs (found at http://fdcc.nist.gov/download_fdcc.html), you will notice that there are three categories of FDCC GPOs:
1. Vista GPOs (found in the “\Vista” folder)
2. XP GPOs (found in the “\XP” folder)
3. Common GPOs (found in the “\Both” folder)
Note that in the future as new Windows platforms are released or are deprecated, the platform choices will likely change. The Vista and XP GPOs contain platform specific settings in the following GPOs:
· FDCC <Quarter> <Year> <Platform> Security Settings – Contains low level operating system security settings including User Rights Assignment, local audit policy, security options, services configuration and system ACLs
· FDCC <Quarter> <Year> <Platform>-Specific Additional Settings - Contains additional platform settings such as error reporting
· FDCC <Quarter> <Year> <Platform> Firewall Settings – Contains Domain and standard profile settings for the Windows Firewall
The “Common” GPOs contains settings which apply to either platform in the following GPOs:
· FDCC <Quarter> <Year> IE7 Settings – Contains Internet Explorer settings, including zone information, URL Action settings, etc
· FDCC <Quarter> <Year> Additional Settings - Contains behavioral settings for users and computers
· FDCC <Quarter> <Year> Account Policy – Contains settings such as Password policy, Kerberos policy, etc.
The key concept here is that if you are running one platform within your organization, such as Windows Vista, you would need to import six (6) GPOs in total – The platform specific GPOs and the Common GPOs. If you are running both platforms, you would import all nine (9) GPOs. If you only deploy the platform specific settings, you are only deploying half of the FDCC GPO solution, so take care to understand which GPOs contain which settings for your organization.
Now that we have an understanding of the GPOs included in the FDCC releases, how do we get them into our environment? First, you need to have the Group Policy Management Console (GPMC) running. For Windows Server 2003, the SP1 version of GPMC can be found here: http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en. For Windows Vista RTM and Windows Server 2008, this toolset is included in the platform. Once GPMC is installed, the following simple steps must be followed to import the settings in your environment:
Step 1: Create a new empty GPO
Step 2: Run the GPMC “Import Settings Wizard” by right-clicking the new GPO and selecting “Import Settings…” from the context menu
Step 3: Import the FDCC GPO settings into your new empty GPO
Step 4: Review the imported settings and link the new FDCC GPO accordingly
Note to manage and review the Vista FDDC GPOs in your Windows Server 2003 environment, you will need to establish the ADMX central store in your forest. Steps to do this are outlined here: http://technet2.microsoft.com/WindowsVista/en/library/02633470-396c-4e34-971a-0c5b090dc4fd1033.mspx?mfr=true.
While this procedure is all well and good, it can still be a bit cumbersome to create new GPOs and walk through the wizard over and over again. After all, we have to do this every quarter and depending on how many domains and forests you might have, this can be a daunting task. To help with that, I have written a little script to make it easy to import the FDCC GPOs based on the GPMC scripting examples provided with the GPMC download. It uses the object model from GPMC, so you will still need to ensure that GPMC is installed and working on your platform. The script is pretty simple and requires a single argument – the folder path where you unzipped the FDCC GPOs (specified in the PATH argument).
cscript Import_FDCC_GPO_v1.1.vbs /PATH:”C:\FDCC\FDCC-Q3-2007-Final-GPO-20070730\FDCC Q3 2007 Final GPOs”
The script takes a bit of the guesswork out of importing the FDCC GPOs. First, it enumerates the GPO folders in the FDCC download and allows you to choose which GPO you wish to import. Next, it enumerates the GPOs in the FDCC export and allows you to choose which GPO you wish to import. Once these choices are made, it creates a new empty GPO with a new GUID and the exact name of the FDCC GPO in your environment. After final confirmation, it then imports the settings found in the downloaded FDCC GPOs. An example of the script execution is provided below:
$cscript Import_FDCC_GPO_v1.1.vbs /PATH:"C:\FDCC\FDCC-Q3-2007-Final-GPO-20070730\FDCC Q3 2007 Final GPOs"
The following FDCC GPO Folders are available:
1) Both
2) Vista
3) XP
Enter the number of the FDCC GPO Folder you wish to import: 2
1) FDCC Q3 2007 Vista-Specific Additional Settings
2) FDCC Q3 2007 Vista Security Settings
3) FDCC Q3 2007 Vista Firewall Settings
Enter the number of the FDCC GPO you want to import: 2
STEP 1: Starting GPO Import for FDCC Q3 2007 Vista Security Settings...
Creating GPO...
New GPO created
STEP 2: Align new GPO to FDCC GPO for import ...
Found GPO "FDCC Q3 2007 Vista Security Settings" for importing
STEP 3: Import FDCC GPO? (y or n) y
Importing "FDCC Q3 2007 Vista Security Settings"...
"FDCC Q3 2007 Vista Security Settings" successfully imported.
Would you like to import another FDCC GPO from this path? (y or n)
Based on user input, the script will loop through all of the FDCC GPOs and import them individually. GPOs are not linked since each organization will first need to carefully review the imported settings and each Active Directory environment is obviously different. The script also takes two optional arguments: /? – to display the script help information and /v – to display verbose debugging information while the script executes.
Just as the NIST and OMB exported FDCC GPOs attempt to make implementation and standardization of the settings easier, this script should take some of the bite and guesswork out of importing these GPOs into your organization’s Active Directory environment. I have included the source for the script below. Enjoy and hopefully this helps get your organization headed in the right direction with respect to FDCC!
' =========================================
' = FDCC GPO Import Script
' = Version 1.1
' = Last updated 11:37 AM 12/1/2007
' = Joel Yoker <joely@microsoft.com>
' =========================================
'On error Resume Next
' strDbg toggles display messages on and off (VALUE: 1 = on, 0 = off)
If WScript.Arguments.Named.Exists("V") Then
WScript.Echo vbCrLf & "Debugging ON" & vbCrLf
strDbg = 1
Else
strDbg = 0
End If
' Ensure this script is being run from the command line by calling the IsCScript function
If Not IsCScript() Then
WScript.Echo WScript.ScriptName & " must be run with CScript."
Call DisplayUsage
WScript.Quit 1
End If
' Check and see what arguments were passed and perform the functions required
' per what arguments are passed. Arguments are documented in DisplayUsage subroutine
If WScript.Arguments.Named.Exists("?") Then
Call DisplayUsage
Else
If WScript.Arguments.Named.Exists("PATH") Then
strFDCCGPOPath = WScript.Arguments.Named.Item("PATH")
Call ImportFDCCGPO(strFDCCGPOPath)
Else
wscript.echo "ERROR: /PATH is required" & vbCRLF
Call DisplayUsage
End If
End If
' Subroutines
Sub ImportFDCCGPO(gpoBackupFolderFullPath)
'Create Objects
Set gpm = CreateObject("gpmgmt.gpm")
Set gpmConstants = gpm.GetConstants
Set RootDSE = GetObject("LDAP://RootDSE")
adsiDomain_DN = RootDSE.Get("DefaultNamingContext")
dnsDomain = ConvertToDNS(adsiDomain_DN)
'Create a GPM domain object
set gpmDomain = gpm.GetDomain(dnsDomain,"",gpmConstants.UsePDC)
wscript.echo "The following FDCC GPO Folders are available: "
' Initialize strChoice
strChoice = "y"
' Get the Folder of the GPOs to restore
strFolderPath = gpoBackupFolderFullPath
arrSF = EnumSubFolders(strFolderPath)
For i = 0 to Ubound(arrSF)
rs1 = i + 1 & ") "
rs1 = rs1 & arrSF(i)
WScript.Echo rs1
Next
WScript.Stdout.write vbCrLf & "Enter the number of the FDCC GPO Folder you wish to import: "
rs1 = int(WScript.StdIn.ReadLine)
If strDbg <> 0 Then WScript.Echo
'If strDbg <> 0 Then WScript.Echo "** Choice: " & rs1
restoreGPOFolder_ID = rs1 - 1
'If strDbg <> 0 Then WScript.Echo "** FolderArray number: " & restoreGPOFolder_ID
gpoBackupSubFolder = arrSF(restoreGPOFolder_ID)
If strDbg <> 0 Then WScript.Echo "** Subfolder: " & gpoBackupSubFolder
gpoBackupFolderFullPath = gpoBackupFolderFullPath & "\" & gpoBackupSubFolder
If strDbg <> 0 Then WScript.Echo "** New GPO Backup Path: " & gpoBackupFolderFullPath
If strDbg <> 0 Then WScript.Echo
do while strChoice <> "n"
' Get the GPOs in the folder
set gpmBackupSearchCriteria = gpm.CreateSearchCriteria()
gpmBackupSearchCriteria.Add gpmConstants.SearchPropertyBackupMostRecent, gpmConstants.SearchOPEquals, True
Set gpmBackupDir = gpm.GetBackupDir(gpoBackupFolderFullPath)
Set gpmBackup_List = gpmBackupDir.SearchBackups(gpmBackupSearchCriteria)
For i=1 To gpmBackup_List.Count
With gpmBackup_List.Item(i)
rs = i & ") "
rs = rs & .GPODisplayName
End With
WScript.Echo rs
Next
WScript.Stdout.write vbCrLf & "Enter the number of the FDCC GPO you want to import: "
rs = int(WScript.StdIn.ReadLine)
If rs >= 1 AND rs <= gpmBackup_List.Count Then
restoreGPO_ID = gpmBackup_List.item(rs).ID
set gpmImportGPO = gpmBackupDir.GetBackup(restoreGPO_ID)
importGPODisplayName = gpmImportGPO.GPODisplayName
WScript.Echo vbCrLf & "STEP 1: Starting GPO Import for " & importGPODisplayName & "..."
Else
WScript.Echo vbCrLf & "Please run the script again and select a number in the displayed range."
WScript.Quit()
End If
If strDbg <> 0 Then WScript.Echo "Importing into " & adsiDomain_DN
' Create a new GPO with the name of the GPO selected
wscript.echo " Creating GPO..."
strNewGPODisplayName = importGPODisplayName
Set objNewGPO = gpmDomain.CreateGPO()
objNewGPO.DisplayName = strNewGPODisplayName
If strDbg <> 0 Then wscript.echo vbCrLf
If strDbg <> 0 Then wscript.echo "----CREATING NEW GPO----"
If strDbg <> 0 Then wscript.echo "--Name: " & objNewGPO.DisplayName
If strDbg <> 0 Then wscript.echo "--GUID: " & objNewGPO.ID
If strDbg <> 0 Then wscript.echo "--Path: " & objNewGPO.Path
If strDbg <> 0 Then wscript.echo "------------------------"
wscript.echo " New GPO created"
'Search the production domain to verify that a GPO of the same name exists
WScript.Echo vbCrLf & "STEP 2: Align new GPO to FDCC GPO for import ..."
set gpmGPOSearchCriteria = gpm.CreateSearchCriteria()
'gpmGPOSearchCriteria.Add gpmConstants.SearchPropertyGPODisplayName, gpmConstants.SearchOPContains, cstr(importGPODisplayName)
gpmGPOSearchCriteria.Add gpmConstants.SearchPropertyGPOID, gpmConstants.SearchOpEquals, objNewGPO.ID
set gpmProductionGPOCollection = gpmDomain.SearchGPOs(gpmGPOSearchCriteria)
If gpmProductionGPOCollection.count = 1 Then
WScript.Echo " Found GPO " & Chr(34) & objNewGPO.DisplayName & Chr(34) & " for importing"
For Each item In gpmProductionGPOCollection
If strDbg <> 0 Then wscript.echo vbCrLf
If strDbg <> 0 Then wscript.echo "----FOUND GPO----"
If strDbg <> 0 Then wscript.echo "--GUID: " & item.ID
If strDbg <> 0 Then wscript.echo "-----------------"
set gpmProductionGPO = item
Next
Else
wscript.echo " Unable to find " & objNewGPO.DisplayName & " in " & adsiDomain_DN
wscript.quit
End If
WScript.StdOut.Write vbCrLf & "STEP 3: Import FDCC GPO? (y or n) "
rs = wscript.StdIn.ReadLine
If StrComp(rs,"y",vbTextCompare) = 0 Then
WScript.Echo " Importing " & Chr(34) & objNewGPO.DisplayName & Chr(34) & "..."
Set gpmResult = gpmProductionGPO.Import(0,gpmImportGPO)
Set gpmResult_Status = gpmResult.Status
If gpmResult_Status.count <> 0 Then
For i=1 to gpmResult_Status.Count
WScript.Echo gpmResult_Status.Item(i).Message
Next
gpmResult.OverallStatus()
Else
WScript.Echo " " & Chr(34) & objNewGPO.DisplayName & Chr(34) & " successfully imported."
End If
Else
WScript.Echo " Operation aborted. Exiting..."
End If
' Prompt to see if we need to loop again
WScript.StdOut.Write vbCrLf & "Would you like to import another FDCC GPO from this path? (y or n) "
strChoice = wscript.StdIn.ReadLine
wscript.echo vbCrLf
Loop
wscript.echo "Exiting FDCC GPO import script"
End Sub
Sub DisplayUsage()
' Documents every named argument and how the script is to be used
WScript.Echo "USAGE: cscript.exe //nologo " & WScript.ScriptName & " [/OPTIONS]" & _
VbCrLf & _
VbCrLf & "Script to import FDCC Group Policy Objects (GPO)" & _
VbCrLf & "into a given Active Directory domain. (Note: Requires" & _
VbCrLf & "administrative rights to perform the action)" & _
VbCrLf & _
VbCrLf & "Enumerates FDCC GPO backups, creates new GPO with " & _
VbCrLf & "same name, and imports FDCC settings into new GPO" & _
VbCrLf & _
VbCrLf & "Switches:" & _
VbCrLf & "/PATH (required) - The path of the FDCC GPOs" & _
VbCrLf & _
VbCrLf & "Examples: " & _
VbCrLf & "To specify that FDCC GPO subfolders were extracted" & _
VbCrLf & "to a folder called C:\FDCC type the following:" & _
VbCrLf & _
VbCrLf & "cscript " & WScript.ScriptName & " /PATH:C:\FDCC\FDCC-Q3-2007-Final-GPO-20070730\FDCC Q3 2007 Final GPOs" & _
VbCrLf & _
VbCrLf
wscript.quit
End Sub
' Functions
Function ConvertToDNS(distinguishedName)
' ConvertToDNS - Converts the DN of a domain to a FQDN
'Skip past the first "DC=" in the DN
initialStrip = Mid(distinguishedName,4)
'Replace the remaining typeful prefixes with periods
rs = Replace(initialSTrip,",dc=",".",1,-1,1)
'Return the FQDN
ConvertToDNS = rs
End Function
Function EnumSubFolders(strFolderPath)
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.GetFolder(strFolderPath)
Set objSubFolder = objFolder.SubFolders
intSize = 0
For Each folder in objSubFolder
ReDim Preserve arrSubFolders(intSize)
arrSubFolders(intSize) = folder.name
intSize = intSize + 1
Next
EnumSubFolders = arrSubFolders
End Function
Function IsCScript()
' This function returns whether the script is being run from cscript (command line)
Dim objRegExp
Set objRegExp = New RegExp
objRegExp.IgnoreCase = True
objRegExp.Pattern = "cscript.exe$"
IsCScript = objRegExp.Test(WScript.FullName)
Set objRegExp = Nothing
End Function
