
close
close
Chance to win $250 in Petri 2023 Audience Survey
In Using the Microsoft Security Compliance Manager Tool on Petri, I showed you how to get started with Microsoft’s free Security Compliance Manager (SCM) tool, how to manage security and Group Policy settings, and how to track changes to baseline security templates. In today’s Ask the Admin, I’ll show you how to export security templates as Group Policy Objects (GPOs).
Before you can apply SCM settings to servers in an Active Directory domain, you need to export the settings to a Group Policy Object, which can then be linked to a forest, domain or Organizational Unit (OU).
If Security Compliance Manager is not already open, launch it from C:\Program Files (x86)\Microsoft Security Compliance Manager.
Export SCM Template Settings as a GPO Backup (Image Credit: Russell Smith)
Using the Group Policy Management Console (GPMC), we can create a Group Policy Object from the backup we just made. For the purposes of this demonstration, I’ve installed GPMC on the same computer as the Security Compliance Management tool. To install GPMC on Windows Server 2012 or later, type install-windowsfeature –name gpmc in an elevated PowerShell prompt and press ENTER. Alternatively, GPMC is part of the Remote Server Administration Tools (RSAT) for Windows 10, and can be downloaded here.
To successfully create a Group Policy Object using GPMC, the console must be started with a domain user account that has permission to create new Group Policy Objects in the domain.
Import Settings to a New Group Policy Object (Image Credit: Russell Smith)
If the GPO backup contains references to security principals and/or UNC paths, you will be shown the Migrating References screen. If the GPO contains unique UNCs or security descriptors referencing names of servers or domains, you may need to use a migration table to map them to the new GPO.
I know that this GPO backup can be used to create a GPO in the target domain without worrying about mapping security descriptors and UNC paths, but let’s check to make sure that is the case.
In the Migration Table Editor window, you’ll see the security descriptors and UNC paths listed. If any of them will not work in the target domain, you can type the appropriate path or name in the Destination Name column. In this example, I don’t need to make any changes as all the security descriptors listed will work in the target domain.
Map Unique Security Descriptor and UNC Path References (Image Credit: Russell Smith)
Map Unique Security Descriptor and UNC Path References (Image Credit: Russell Smith)
Populated Group Policy Object (Image Credit: Russell Smith)
Now that we have a GPO based on the settings configured using the Security Compliance Management tool, you can link the GPO as required in your AD forest using GPMC. For more information on using GPMC and linking Group Policy Objects, see Working with Group Policy on Petri.
In the final part of this series, I’ll show you how to secure standalone Windows servers using Security Compliance Manager.
More in Windows Server
Microsoft Rolls Out Fix for LSASS Memory Leak Bug Affecting Windows Server
Dec 14, 2022 | Rabia Noureen
Latest Patch Tuesday Updates Cause Freezes, Reboots on Domain Controllers
Nov 25, 2022 | Rabia Noureen
Microsoft Releases Fix for Kerberos Authentication Issues on Domain Controllers
Nov 18, 2022 | Rabia Noureen
Most popular on petri