Saturday, May 19, 2007

Export a Local User Policy on Vista

I received an interesting question by mail the other day regarding my article about MLGO on Windowsecurity.com. The question was, if it is possible to export a local policy assigned to a specific user to a user on another computer...?

After scratching my head and researching a bit it seemed like nobody had a good answer for this and no GUI tool is apparently available - so I had to come up with something myself... This is the result:

The following undocumented - and probably unsupported - method worked for me:

On "Source Computer":
1. Create/modify a local policy for the "Source User"
2. Go to "C:\Windows\System32\GroupPolicyUsers\" and locate the last modified policy folder
- the folder should be named with the SID (Security ID) of the "Source User", e.g. "S-1-5-21-452792215-1268730067-2626448776-1108"
3. Copy the folder and content to the "Target Computer" into the same directory structure

On "Target Computer":
1. Rename the newly copied folder to the SID of the "Target User" (the user who should receive the "exported" policy)
- how to find the SID of a local user?
2. Set NTFS permissions on the newly renamed folder to:
- SYSTEM = "Full Control"
- Administrators group = "Full Control"
- "Target User" = "Read & Execute"
3. Test a logon as the "Target User", the policies should be correctly applied.

Done! Well, the procedure is a bid "odd", but it could be scripted if required.

4 Comments:

Ricardo Santos said...

Hi Jakob! Thanks a lot for your post, it helped me a lot!

However there is another way to achieve that goal regarding the SID part (it worked for me).

What I've done was:
1. Logged on with an administrator account
2. Start/Run, mmc, Ok
3. File, Add/Rem Snap-In
4. Group Policy Object Editor, Add
5. Browse
6. Tab computers, this computer, Tab Users, selected the user I wanted to import group policy,

Ok, Finish, Ok
7. Closed the MMC Console. (the step 6 created the folder with the user's SID in

c:\windows\system32\GroupPolicyUsers)
8. Then I just needed to go to c:\windows\system32\GroupPolicyUsers, enter into the newest folder

in that directory (the SID of the user I wanted to change)
9. Deleted all the content of that new folder and pasted the content of the SID folder from the user with the group policy I wanted to copy.

Nathan said...

I am trying to use this to apply a group policy to the 'non-administrators' group. It creates a SID-named folder, and I can copy that folder to a new computer, but the computer is unaware of its existence.

Is there a way to make it wake up and realize that it's there?

Jakob H. Heidelberg said...

Hi Nathan,

To be honest I never tried that move - did you tweak the NTFS permissions?

Erlend said...

Make one change in the non-administrators GPO, and it will activate all settings within the copied file.

Had same problem as you, that after copy'ing the file, it could see all the settings in the non-administrators GPO, but the didnt kick in. So i changed one, and restarted and it all kicked in.