How to merge GPO's with PowerShell, this is a little misleading, PowerShell is used to add the logic to LGPO.exe there's worse to follow. The whole process can't be fully automated and requires manual intervention. Yep, that dreaded word...."Manual".
However, the following method does work at merging disparate GPO's for Domain deployment.
The Issue:
As someone who applies Microsoft's Security GPO baselines in a Domain, it's a little messy importing each of the separate GPO's for Windows, Office and Edge etc. Resulting in multiple Computer and User policies being listed in GPO Management, leading to administrator confusion and even a possible performance hit whilst the client applies those multiple GPO's. What is required is a single Computer or User GPO with all the combined settings.
You will require:
A non Domain joined Windows client or server for merging of the policies, preferably the same as the GPO's being applied.
Download LGPO and PolicyAnalyzer and the latest recommended SCM GPO's from (here).
A Domain with Domain Admin rights to import the merged policy.
To manage Office and Edge GPO's set up a Central Store (here) and install the latest admx files on both the Domain Controller and the standalone. If this step is missed the settings will appear as extra registry settings in GPO Management.
The script to merge policies (here).
The Prep::
I'm going all in for the demo and merging Windows 11, Office 365 and Edge policies for both User and Computer. This is not recommended as User and Computer policies should be separated. If you do follow this example link the merged GPO on a Computer OU and then apply the Loopback settings, the user policies will then apply at user logon.
Enough waffle... create a folder on the standalone client\server, extract and copy all the GPO's to the folder.
Copy both the script and LGPO.exe to the root of that folder.
The execution:
Execute the script with admin rights either via PowerShell or ISE.
The script loops through each of the policy directories LGPO to merge both the User and Computer settings, applying them locally.
LGPO then exports the local settings to a GPOBackup directory.
Ignore the warnings, it's LGPO throwing its teddy out of the pram.
A quick validation of the local policies by filtering 'Configured' policies.
The Domain Policy:
Copy the merged policy from the MergedGPO directory to the Domain Controller or Management client with 'Group Policy Management' feature installed.
Create a new Domain Group Policy, don't link to an OU.
Right-click on the new GPO and 'Import Settings'.
Warning this will overwrite any existing settings, don't mess this step up.
Follow the wizard and select the folder where the merged policies reside.
Select the GPO to import.
Review the settings and link to the correct OU.
Warning, linking the Microsoft recommended policies to any Client, Server or DC will likely result in an outage or services becoming unresponsive, so test first and make any necessary changes.
It looks pretty easy and it is.... however.... and this is where a little GPO bravery and the manual intervention kicks in.
The Manual Steps:
After reviewing the setting you'll notice, LGPO has imported all the Security settings including password and account policies. These are set at the Root of the domain and can't be overridden by placing them at a lower level.
From Group Policy Management, select the imported GPO and make a note of the 'Unique ID:'
Browse to 'C:\Windows\Sysvol\Domain\Policies'
Select the matching 'Unique ID'.
Navigate to the 'SecEdit' directory.
GptTmpl - Security Settings
GptTmpl.inf contains most of the security settings, no Firewall or Applocker policies though.
Settings within GptTmpl.inf are the setting that most likely requires removing. There are 2 possible solutions depending on the scenario.
If for example only User settings are required.... delete GptTmpl.inf
If Password or Account policies aren't required open GptTmpl.inf from an elevated Notepad and remove the excess sections.
Registry.pol - Administrative Templates
Amending User or Machine Registry.pol files from within isn't so easy and recommend using Group Policy Management as the editor.
It is possible to delete the Registry.pol files and this is what I've done.
Audit.csv - Advanced Audit Settings
Lastly, Advanced Audit settings via the audit.csv file, delete this file as well.
The Result:
The end result is that all Computer settings are removed, leaving only the User settings.
The issue with Client Side Extensions:
In some instances during the GPO Policy import, no settings are displayed from within GPO Management. This is due to the GPCMachineExtensionName attribute not writing the correct values at import. In this case, update the GPO values, if Security Options or User Rights Assignments aren't displaying, make changes, apply and revert the change. GPO Management will then successfully display the correct values.
If the GPCMachineExtensionName attribute is known the following command can be used.
Set-ADObject -Identity $getGPOPath -Replace @{gPCMachineExtensionNames="[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]"}
Comments