This free solution (also known under its acronym - SCM) - a part of so-called Microsoft Solution Accelerators suite - is quite useful when it comes to managing your GPOs (Group Policy Objects), when checking your current settings vs. Microsoft's recommendations, if you want to create a new policy based on the existing one or compare any two policies for differences etc.
It should also be noted that the policies can be exported to various formats, including the Excel (.xlsm) workbook format (which then could be used while performing an IT audit) and .cab files (which can later be used on other deployments and so on - among them are also .cabs compatible with the NIST / The National Institute of Standards and Technology SCAP / Security Content Automation Protocol).
Another neat feature are the enclosed attachments / guides in form of MS Word and Excel documents, as well as some answer files and even PowerShell scripts (.ps1 files).
Anyway, to use the SCM, it has to be installed first - the installation will need:
- .NET 3.5 / 4 installed (depending on the version)
- an SQL Server 2008 (or later; at least Express) instance and some Visual C++ 2010 libraries (both should be included in the SCM installation file available here)
During the installation, a few times I've come across a prompt pictured below - however, in the end the SCM was working anyway (it's probably just a precautionary warning by Microsoft). All that has to be done is to choose the second option ("Run the program without getting help").
After the SCM has been installed, there's also an useful CLI tool called LocalGPO available for installation at C:\Program Files (x86)\Microsoft Security Compliance Manager\LGPO (just run the .msi placed there).
This is a tool which can be used to backup (export) a GPO from a non-domain joined computer, to apply a security baseline to the local Group Policy of a computer etc. Once installed, it must be run in an elevated mode ("Run as administrator" option on the right-click menu). Unfortunately, it obviously doesn't work on Windows 10 (yet) - actually, there's an error capture below showing officially supported Windows versions:
However, here is an example of the export-import procedure ran on a Windows 7 installation:
- first a had to export the Local Policy by running the command pictured below:
- once the export had been done, I've started the SCM 3.0 and chosen the "Import a Group Policy Backup" option from main SCM window:
- after a successful import, the Policy had appeared among the "Custom Baselines":
As you can see from the last screenshot, the main SCM tasks are listed on the right side (I'll cover some of them in an article to follow - for now, please notice that this is not what a policy should look like at all).
All in all, this solution is quite intuitive and easy to use by its software ergonomics, and also quite helpful in performing everyday system administration (and - somewhat more rarely - audits) and therefore it's an essential tool for Windows-based systems and networks.