Windows 7, 32 bit. I have added the "Group Policy Object" to the MMC with group selected as "non-administrators" (from [browse]-->Users). I have locked down the capabilities of the local machine so that non-administrators can do very little, and now I want to be able to apply this policy setting to clones of this machine. Further, I want to be able to put these settings into source control so that policy modifications can be tracked. I want the administrators to have full capabilities.
Once configured on my target machine, I have created a WIM with the Microsoft Deployment Toolkit (MDT) which solves the first half of my needs but this makes it hard to compare any changes to the policy.
I have installed the Security Compliance Manager (SCM) but this wants a baseline to start with and I do not see how to apply policies to groups with this tool. I have installed the LocalGPO.wsf tool as well and have created a backup of the local policy with the /Export switch, but when I use the MMC to change the non-administrator policies, this is not reflected with the LocalGPO.wsf when I run the /Compare against my previously exported GPO. We cracked open the LocalGPO.wsf file and at first glance it looks like it calls SECEDIT.exe which does not seem to take any switches for group policies.
Am I missing a switch on the LocalGPO.wsf that will export the non-administrator group policy settings so that I can put this into source control?
Is there another way to apply my changes to the non-administrators in the SCM? I could not find that menu item.
Are my aspirations too high to be able to update these policies in a controlled fashion?
Thanks - Steve
