LGPOv2.2 Example - Set Security Event Log Max Size to 80 MB via Local Group Policy
| 1 Votes |
Description
LGPO v2.2 is described at https://www.microsoft.com/en-us/download/details.aspx?id=55319. The utility allows for scripted configuration of Local Group Policy (Computer, User, and MLGPO contexts). Version 2.2 adds support for MLGPO, REG_QWORD data types, and the CLEAR directive to return settings to "Not Configured". LGPO can configure Registry policies, apply Secedit templates, and configure Advanced Audit Policies. Existing policy settings can be exported or imported from text.
This example fixlet demonstrates the use of LGPO by configuring the Security Event Log maximum size to 80 MB.
The LGPO zip file includes a PDF explaining its use.
Property Details
| 24619 | |
| Beta - Preliminary testing ready for more | |
| LGPOv2.2 Example - Set Security Event Log Max Size to 80 MB via Local Group Policy | |
| BESC | |
| LGPO Template Policy | |
| Internal | |
| 8/17/2017 2:27:09 PM | |
| Local Group Policy, LGPO, Security, MLGPO, Secedit | |
| JasonWalker on 8/17/2017 2:27:09 PM | |
| JasonWalker on 8/17/2017 2:27:09 PM | |
| 7886 Views / 13 Downloads | |
* Average over 0 ratings.
** Log In or Register to add your rating.
|
Relevance
isWindows (Relevance 1172)
windows of operating system
if exists property "in proxy agent context" then not in proxy agent context else true
| Used in 1 fixlet | * Results in a true/false |
/* Apply to Windows 7 or higher only */ version of operating system >= version "6.1"
| Used in 1 fixlet | * Results in a true/false |
/* Sample check to set Security Event Log maximum size to 80 MB */ not exists keys "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Eventlog\Security" whose (value "MaxSize" of it as integer = 81920) of native registry
Actions
Action 1 (default)
Action Link Click
here to deploy this action.
Script Type
BigFix Action Script
// To use this template, update or remove the following blocks and replace the Relevance
// Enter your action script here
begin prefetch block
add prefetch item name=LGPO.zip sha1=0c74dac83aed569607aaa6df152206c709eef769 size=815660 url=https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip sha256=6ffb6416366652993c992280e29faea3507b5b5aa661c33ba1af31f48acea9c4
// Download UnZip utility
add prefetch item name=unzip.exe sha1=e1652b058195db3f5f754b7ab430652ae04a50b8 size=167936 url=http://software.bigfix.com/download/redist/unzip-5.52.exe sha256=8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
collect prefetch items
end prefetch block
// Add LGPO.zip to the client utility cache
utility __Download\LGPO.zip
// Add unzip.exe to the client utility cache
utility __Download\unzip.exe
waithidden __Download\unzip.exe -o "{pathname of client folder of current site}\__Download\LGPO.zip" -d "{pathname of client folder of current site}\__Download"
action uses wow64 redirection false
delete __createfile
createfile until EOF_EOF_EOF
; ----------------------------------------------------------------------
; PARSING COMPUTER POLICY
; Source file: \temp\Registry.pol
Computer
Software\Policies\Microsoft\Windows\Eventlog\Security
MaxSize
DWORD:81920
; PARSING COMPLETED.
; ----------------------------------------------------------------------
EOF_EOF_EOF
delete regpol.txt
move __createfile regpol.txt
waithidden __Download\LGPO.exe /t regpol.txt
continue if {exit code of action = 0}
Success Criteria
This action will be considered successful when the applicability relevance evaluates to false.
Sharing
| Social Media: |
Comments
 |
|
| to write to HKCU you use "User" instead of "Computer" in the above. Generally I set things in Group Policy Editor, export to registry.pol using LGPO util, then parse that into LGPO text, then use that in a fixlet. | |
 |
|
| [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\QuietHours] "Enable"=dword:00000001 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications] "NoToastApplicationNotification"=dword:00000000 I want to install this two reg using lgpo.exe /t lgpo.txt. your script put in hklm key. how to do it for current user or all users. | |
 |
|
| If you are licensed for Compliance, the CIS / USGCB content has good examples for Relevance checks for the more difficult items like password policy. Then I use LGPO to apply changes rather than Bigfix's default regedit / secedit commands, mostly to make it easier to hand off a gpresult export for external auditors. | |
|
|
| The trick is that it is much harder to write relevance for the examples you bring up rdshift, but even then there are possibilities, but using Local GPO for registry settings is by far the easiest option. | |
|
|
| I did not include the function in my example, but LGPO can also ingest secedit.inf files for things like renaming accounts, password policy, etc. And can apply Audit.csv settings for Advanced Audit Configuration policies. Basically everything that you can configure in the Local Group Policy management console. | |
 |
|
| It seems like this text-based approach only works with registry-friendly entries. You'd have to use registry.pol files or another approach (wmic, net, etc.) for policies with no registry entry, such as renaming administrator or guest, or for setting password lockout policies. | |
|
|
| FYI the unconfigured maximum appears to be 20480KB on Windows 10 so this effectively quadruples the max size. | |
