Today I had a need to compare the local security policies between two domain controllers to verify the audit configuration on each. I figured this could be easily achieved using the Security Configuration and Analysis MMC built into Windows. The tool seems to work well with comparing with pre-defined baselines but for the life of me I could not figure out how to export the current configuration for analysis on another machine. While this proved to ultimately be fruitless, it did lead me down a several hour rabbit hole that thankfully did ultimately result in a solution.
The solution ultimately was looking outside of the core Windows OS to a free download from Microsoft called the Security Compliance Manager. That can be found here:
Note: This is a 132MB download and requires a SQL server to install. I installed SQL 2008 R2 Express on the same machine without issue. If you’d like to know how I configured SQL, see this blog post:
Otherwise the install is simply a next, next finish kind of thing. Once it’s installed, you can launch it from your start menu. The first time you launch it will likely take 5+ minutes while it loads in all of the policy modules for all of the supported products. Once it’s installed, you should see a screen similar to this:
At this point, you might be thinking as I did that somewhere in the UI you would tell it to scan a remote computer to pull its current configuration. I’ll save you some time and tell you that the Security Compliance Manager does not allow you to import live configurations. It only works for comparing baselines. That obviously doesn’t help us much. If you look in the top right, you’ll see an option for Import GPO Backup (folder). Don’t be fooled as I did. This is not just for GPOs but can also import the local security policy from a machine. The question now becomes, how do you generate the configuration? After much more digging, I discovered, almost by accident, the following file that was generated as part of the installation of the SCM:
“C:\Program Files (x86)\Microsoft Security Compliance Manager\LGPO\LocalGPO.msi”