LGPOv2.2 Example - Set Security Event Log Max Size to 80 MB via Local Group Policy
Log In or Register to download the BES file, and more.

1 Votes

Description

LGPO v2.2 is described at https://www.microsoft.com/en-us/download/details.aspx?id=55319.  The utility allows for scripted configuration of Local Group Policy (Computer, User, and MLGPO contexts).  Version 2.2 adds support for MLGPO, REG_QWORD data types, and the CLEAR directive to return settings to "Not Configured".  LGPO can configure Registry policies, apply Secedit templates, and configure Advanced Audit Policies.  Existing policy settings can be exported or imported from text.

This example fixlet demonstrates the use of LGPO by configuring the Security Event Log maximum size to 80 MB. 

The LGPO zip file includes a PDF explaining its use. 


Property Details

ID24619
StatusBeta - Preliminary testing ready for more
TitleLGPOv2.2 Example - Set Security Event Log Max Size to 80 MB via Local Group Policy
DomainBESC
CategoryLGPO Template Policy
SourceInternal
Source Release Date8/17/2017 2:27:09 PM
KeywordsLocal Group Policy, LGPO, Security, MLGPO, Secedit
Added by on 8/17/2017 2:27:09 PM
Last Modified by on 8/17/2017 2:27:09 PM
Counters 6323 Views / 7 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

isWindows (Relevance 1172)
Used in 1112 fixlets and 524 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 21 fixlets and 3 analyses   * Results in a true/false
Show indented relevance
if exists property "in proxy agent context" then not in proxy agent context else true
Used in 1 fixlet   * Results in a true/false
Show indented relevance
/* Apply to Windows 7 or higher only */ version of operating system >= version "6.1"
Used in 1 fixlet   * Results in a true/false
Show indented relevance
/* Sample check to set Security Event Log maximum size to 80 MB */ not exists keys "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Eventlog\Security" whose (value "MaxSize" of it as integer = 81920) of native registry

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
// To use this template, update or remove the following blocks and replace the Relevance

// Enter your action script here

begin prefetch block

add prefetch item name=LGPO.zip sha1=0c74dac83aed569607aaa6df152206c709eef769 size=815660 url=https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip sha256=6ffb6416366652993c992280e29faea3507b5b5aa661c33ba1af31f48acea9c4

// Download UnZip utility
add prefetch item name=unzip.exe sha1=e1652b058195db3f5f754b7ab430652ae04a50b8 size=167936 url=http://software.bigfix.com/download/redist/unzip-5.52.exe sha256=8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

collect prefetch items
end prefetch block

// Add LGPO.zip to the client utility cache
utility __Download\LGPO.zip

// Add unzip.exe to the client utility cache
utility __Download\unzip.exe

waithidden __Download\unzip.exe -o "{pathname of client folder of current site}\__Download\LGPO.zip" -d "{pathname of client folder of current site}\__Download"


action uses wow64 redirection false

delete __createfile
createfile until EOF_EOF_EOF
; ----------------------------------------------------------------------
; PARSING COMPUTER POLICY
; Source file: \temp\Registry.pol

Computer
Software\Policies\Microsoft\Windows\Eventlog\Security
MaxSize
DWORD:81920

; PARSING COMPLETED.
; ----------------------------------------------------------------------

EOF_EOF_EOF

delete regpol.txt
move __createfile regpol.txt

waithidden __Download\LGPO.exe /t regpol.txt
continue if {exit code of action = 0}
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
lxuuym1 -
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\QuietHours] "Enable"=dword:00000001 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications] "NoToastApplicationNotification"=dword:00000000 I want to install this two reg using lgpo.exe /t lgpo.txt. your script put in hklm key. how to do it for current user or all users.
JasonWalker -
If you are licensed for Compliance, the CIS / USGCB content has good examples for Relevance checks for the more difficult items like password policy. Then I use LGPO to apply changes rather than Bigfix's default regedit / secedit commands, mostly to make it easier to hand off a gpresult export for external auditors.
jgstew -
The trick is that it is much harder to write relevance for the examples you bring up rdshift, but even then there are possibilities, but using Local GPO for registry settings is by far the easiest option.
JasonWalker -
I did not include the function in my example, but LGPO can also ingest secedit.inf files for things like renaming accounts, password policy, etc. And can apply Audit.csv settings for Advanced Audit Configuration policies. Basically everything that you can configure in the Local Group Policy management console.
rdshift -
It seems like this text-based approach only works with registry-friendly entries. You'd have to use registry.pol files or another approach (wmic, net, etc.) for policies with no registry entry, such as renaming administrator or guest, or for setting password lockout policies.
jgstew -
FYI the unconfigured maximum appears to be 20480KB on Windows 10 so this effectively quadruples the max size.