In earlier posts I showed how to script the local group policy object.

Here is a post from the- Microsoft’s USGCB Tech Blog- that shows another method:

Set_FDCC_LGPO for Windows 7…

Here is the important part of the blog post:

Here's all you need to do:

- Extract the combined GPO zip file downloaded from NIST's site to your hard drive. To follow this example, extract it into C:\USGCB. (Note: don't just download the zip file – extract its contents into C:\USGCB and retain the folder structures.)
- Copy ImportRegPol.exe and Apply_LGPO_Delta.exe into C:\USGCB.
- Using Notepad or any other text editor (I use vi.exe, believe it or not), create a PowerShell script called ApplyUSGCB.ps1 in C:\USGCB with the following commands, which you can copy and paste directly from here:


<figure class="highlight"><pre><code class="language-powershell" data-lang="powershell"><span class="nf">dir</span><span class="w"> </span><span class="nt">-recurse</span><span class="w"> </span><span class="nt">-include</span><span class="w"> </span><span class="nx">registry.pol</span><span class="w"> </span><span class="o">|</span><span class="w">
</span><span class="nf">?</span><span class="p">{</span><span class="w"> </span><span class="bp">$_</span><span class="o">.</span><span class="nf">FullName</span><span class="o">.</span><span class="nf">Contains</span><span class="p">(</span><span class="s2">"\Machine\"</span><span class="p">)</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="o">|</span><span class="w">
</span><span class="o">%</span><span class="p">{</span><span class="w"> </span><span class="nf">cmd</span><span class="w"> </span><span class="nx">/c</span><span class="w"> </span><span class="nx">start</span><span class="w"> </span><span class="nx">/wait</span><span class="w"> </span><span class="o">.</span><span class="nx">\importregpol.exe</span><span class="w"> </span><span class="nt">-m</span><span class="w"> </span><span class="bp">$_</span><span class="w"> </span><span class="nx">/log</span><span class="w"> </span><span class="o">.</span><span class="nx">\Policies.log</span><span class="w"> </span><span class="p">}</span><span class="w">

</span><span class="nf">dir</span><span class="w"> </span><span class="nt">-recurse</span><span class="w"> </span><span class="nt">-include</span><span class="w"> </span><span class="nx">registry.pol</span><span class="w"> </span><span class="o">|</span><span class="w">
</span><span class="nf">?</span><span class="p">{</span><span class="w"> </span><span class="bp">$_</span><span class="o">.</span><span class="nf">FullName</span><span class="o">.</span><span class="nf">Contains</span><span class="p">(</span><span class="s2">"\User\"</span><span class="p">)</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="o">|</span><span class="w">
</span><span class="o">%</span><span class="p">{</span><span class="w"> </span><span class="nf">cmd</span><span class="w"> </span><span class="nx">/c</span><span class="w"> </span><span class="nx">start</span><span class="w"> </span><span class="nx">/wait</span><span class="w"> </span><span class="o">.</span><span class="nx">\importregpol.exe</span><span class="w"> </span><span class="nt">-u</span><span class="w"> </span><span class="bp">$_</span><span class="w"> </span><span class="nx">/log</span><span class="w"> </span><span class="o">.</span><span class="nx">\Policies.log</span><span class="w"> </span><span class="p">}</span><span class="w">

</span><span class="nf">dir</span><span class="w"> </span><span class="nt">-recurse</span><span class="w"> </span><span class="nt">-include</span><span class="w"> </span><span class="nx">GptTmpl.inf</span><span class="w">  </span><span class="o">|</span><span class="w">
</span><span class="o">%</span><span class="p">{</span><span class="w"> </span><span class="nf">cmd</span><span class="w"> </span><span class="nx">/c</span><span class="w"> </span><span class="nx">start</span><span class="w"> </span><span class="nx">/wait</span><span class="w"> </span><span class="o">.</span><span class="nx">\Apply_LGPO_Delta.exe</span><span class="w"> </span><span class="bp">$_</span><span class="w"> </span><span class="nx">/log</span><span class="w"> </span><span class="o">.</span><span class="nx">\SecTempl.log</span><span class="w"> </span><span class="p">}</span><span class="w">

</span><span class="o">.</span><span class="nf">\Apply_LGPO_Delta.exe</span><span class="w"> </span><span class="o">.</span><span class="nx">\Deltas.txt</span><span class="w"> </span><span class="nx">/log</span><span class="w"> </span><span class="o">.</span><span class="nx">\Deltas.log</span><span class="w"> </span><span class="nx">/boot</span></code></pre></figure>

Here's how it works: The first command (which spans the first three lines) recursively searches for registry.pol files that have a full path including the text “\Machine\; these are Computer Configuration administrative template files. Each one is is imported into Computer Configuration using ImportRegPol.exe with results logged to Policies.log. The “cmd /c start /wait is needed because ImportRegPol and Apply_LGPO_Delta are not console applications, but we want the script to wait for the commands to complete before continuing the script. The second command does the same, but looking for User Configuration administrative templates under “\User\ folders. The third command searches for GptTmpl.inf security templates and applies them with Apply_LGPO_Delta, logging detailed results to SecTempl.log. The last command applies your policy customizations (see below), logging results to Deltas.log, and then rebooting.

- Create a Deltas.txt file listing any modifications you want to make to the NIST-provided GPOs. I have attached the Deltas.txt that I often use for my own work to this blog post (you will probably need at least the WindowsFirewall changes it includes). The file must adhere to the Apply_LGPO_Delta file format (a simple text format described in the Apply_LGPO_Delta documentation). There are some other sample files you can use here.
- You're ready to go! Start PowerShell with administrative rights, and run the following commands:


<figure class="highlight"><pre><code class="language-powershell" data-lang="powershell"><span class="nf">Set-ExecutionPolicy</span><span class="w"> </span><span class="nx">RemoteSigned</span><span class="w">

</span><span class="nf">cd</span><span class="w"> </span><span class="nx">C:\USGCB</span><span class="w">

</span><span class="o">.</span><span class="nf">\ApplyUSGCB.ps1</span></code></pre></figure>

The Set-ExecutionPolicy command needs to be configured only once. By default, PowerShell lets you run individual commands but not scripts. Setting the execution policy to RemoteSigned allows local unsigned scripts to run, but requires that any downloaded scripts or configuration files be digitally signed by a trusted publisher.

The “.\ before the script (and commands in the script file) are required because unlike the rest of Windows, PowerShell does not include the current directory in the search path.