HOWTO: Export and Compare Security Policies between 2 different Windows Machines

Today I had a need to compare the local security policies between two domain controllers to verify the audit configuration on each. I figured this could be easily achieved using the Security Configuration and Analysis MMC built into Windows. The tool seems to work well with comparing with pre-defined baselines but for the life of me I could not figure out how to export the current configuration for analysis on another machine. While this proved to ultimately be fruitless, it did lead me down a several hour rabbit hole that thankfully did ultimately result in a solution.

The solution ultimately was looking outside of the core Windows OS to a free download from Microsoft called the Security Compliance Manager. That can be found here:

http://technet.microsoft.com/en-ca/solutionaccelerators/cc835245.aspx

Note: This is a 132MB download and requires a SQL server to install. I installed SQL 2008 R2 Express on the same machine without issue. If you’d like to know how I configured SQL, see this blog post:
https://pleasework.robbievance.net/howto-configure-server-performance-advisor-to-troubleshoot-domain-controller-performance/

Otherwise the install is simply a next, next finish kind of thing.  Once it’s installed, you can launch it from your start menu. The first time you launch it will likely take 5+ minutes while it loads in all of the policy modules for all of the supported products. Once it’s installed, you should see a screen similar to this:

At this point, you might be thinking as I did that somewhere in the UI you would tell it to scan a remote computer to pull its current configuration. I’ll save you some time and tell you that the Security Compliance Manager does not allow you to import live configurations. It only works for comparing baselines. That obviously doesn’t help us much. If you look in the top right, you’ll see an option for Import GPO Backup (folder). Don’t be fooled as I did. This is not just for GPOs but can also import the local security policy from a machine. The question now becomes, how do you generate the configuration? After much more digging, I discovered, almost by accident, the following file that was generated as part of the installation of the SCM:

“C:\Program Files (x86)\Microsoft Security Compliance Manager\LGPO\LocalGPO.msi”

It turns out that this is a tool that has an option to scan a machine and export the configuration into a GPO format that the SCM can understand. Once it’s installed, it’ll create the following folder and files:

C:\Program Files (x86)\LocalGPO

 

  • You now want to copy this folder to the destination machine that you want to scan. (You may be able to simply run this from a UNC path – I haven’t tested that yet)
  • On the destination machine, right click on command-line here.cmd and choose Run as Administrator
  • UPDATE: If you run this on Windows Server 2012 R2, you’ll get an error stating the OS is not supported.  You can bypass this check by following the steps here: https://social.technet.microsoft.com/Forums/windows/en-US/70258d97-0dcd-4f63-8e14-e451dc05811c/localgpo-support-for-w2012r2?forum=winserversecurity
    I
    n the localgpo.wsf file, search for the line “If(Left(strOpVer,3) = “6.2”) and (strProductType <> “1”) then
    Replace it with: If(Left(strOpVer,3) = “6.2” or (Left(strOpVer,3) = “6.3”)) and (strProductType <> “1”) then 
  • If you scroll up a bit, you’ll see in the help the line we need to export the configuration which is:

     

    cscript LocalGPO.wsf /Path:C:\GPObackups /Export

  • Note: You’ll need to create the folder referenced in advance
  • When you run the command a new sub folder will be created with a GUID that looks just like a typical GPO

     

     

  • Go back to the SCM and choose that Import GPO button we described above
  • Select the specific GPO GUID folder. (If you select the root, the import will fail)

 

  • Now, repeat these steps for the second machine that you want to compare with the results you just generated.
  • What you should now have in the left hand tree view pane is a group for GPO Import and under those are your two imports

     

     

  • Select one of the two GPOs (it doesn’t matter which and on the right hand side choose Compare / Merge

     

     

  • Choose the opposite GPO and press OK

 

  • Congratulations, you now have a detailed review of the difference between the configurations between the two machines

scr1

  • Note that there is also an Export to Excel button. This requires that Excel is configured to allow Excel Macros to run
  • Running that produces a report that is must easier to read and filter

     

     

    Hopefully this helps someone else out!

4 comments

Skip to comment form

    • Ray on December 3, 2015 at 5:41 am
    • Reply

    Great piece of Information. I rarely use SCM and having your resource was invaluable!

    Thanks!

    1. Hi Ray,

      I’m glad to hear you found this useful! Last month I found myself needing this information again but completely forgot about this HOWTO. I started Googling and made it almost a paragraph into this article before I realized that I was on my own site and I was the author! Goes to show you how important it is to document your learnings. You never know if you’ll end up helping yourself. 🙂

    • Kenny on April 20, 2021 at 1:28 pm
    • Reply

    Hi, could I use the SCM method you described to:
    1. how to query and export servers security configurations to another folder? Please only use scripting i.e. without the need to install any agent.

    2. Conduct (1) for cisco network devices too

    • MrDee on March 14, 2022 at 12:45 pm
    • Reply

    I don’t think this tool provides RSOP

Leave a Reply to Ray Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.