LGPOv3.0 Example - Set Security Event Log Max Size to 80 MB via Local Group Policy
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1LGPOv2.2 Example - Set Security Event Log Max Size to 80 MB via Local Group Policy8/17/2017 2:27:09 PM
2LGPOv3.0 Example - Set Security Event Log Max Size to 80 MB via Local Group Policy5/23/2022 10:54:40 AM

Description

LGPO v3.0 is described at https://www.microsoft.com/en-us/download/details.aspx?id=55319.  The utility allows for scripted configuration of Local Group Policy (Computer, User, and MLGPO contexts).  

LGPO can configure Registry policies, apply Secedit templates, and configure Advanced Audit Policies.  Existing policy settings can be exported or imported from text.

This example fixlet demonstrates the use of LGPO by configuring the Security Event Log maximum size to 80 MB. 

The LGPO zip file includes a PDF explaining its use. 


Property Details

ID26933
StatusBeta - Preliminary testing ready for more
TitleLGPOv3.0 Example - Set Security Event Log Max Size to 80 MB via Local Group Policy
DomainBESC
CategoryLGPO Template Policy
SourceInternal
Source Release Date8/17/2017 12:00:00 AM
KeywordsLocal Group Policy, LGPO, Security, MLGPO, Secedit
Added by on 5/23/2022 10:54:40 AM
Last Modified by on 5/23/2022 10:54:40 AM
Counters 313 Views / 1 Download
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 1 rating. ** Log In or Register to add your rating.

Relevance

isWindows (Relevance 1172)
Used in 1146 fixlets and 539 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 29 fixlets and 15 analyses   * Results in a true/false
Show indented relevance
if exists property "in proxy agent context" then not in proxy agent context else true
Used in 2 fixlets   * Results in a true/false
Show indented relevance
/* Apply to Windows 7 or higher only */ version of operating system >= version "6.1"
Used in 2 fixlets   * Results in a true/false
Show indented relevance
/* Sample check to set Security Event Log maximum size to 80 MB */ not exists keys "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Eventlog\Security" whose (value "MaxSize" of it as integer = 81920) of native registry

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
// To use this template, update or remove the following blocks and replace the Relevance

// Enter your action script here

begin prefetch block

add prefetch item name=LGPO.zip sha1=4578a97946102a20505d1e8f09abedd1fd7a8d89 size=531635 url=https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip sha256=cb7159d134a0a1e7b1ed2ada9a3ce8ce8f4de391d14403d55438af824247cc55

// Download UnZip utility
add prefetch item name=unzip.exe sha1=84debf12767785cd9b43811022407de7413beb6f size=204800 url=http://software.bigfix.com/download/redist/unzip-6.0.exe sha256=2122557d350fd1c59fb0ef32125330bde673e9331eb9371b454c2ad2d82091ac


collect prefetch items
end prefetch block

// Add LGPO.zip to the client utility cache
utility __Download\LGPO.zip

// Add unzip.exe to the client utility cache
utility __Download\unzip.exe

waithidden __Download\unzip.exe -o "{pathname of client folder of current site}\__Download\LGPO.zip" -d "{pathname of client folder of current site}\__Download"


action uses wow64 redirection false

delete __createfile
createfile until EOF_EOF_EOF
; ----------------------------------------------------------------------
; PARSING COMPUTER POLICY
; Source file: \temp\Registry.pol

Computer
Software\Policies\Microsoft\Windows\Eventlog\Security
MaxSize
DWORD:81920

; PARSING COMPLETED.
; ----------------------------------------------------------------------

EOF_EOF_EOF

delete regpol.txt
move __createfile regpol.txt

waithidden __Download\LGPO_30\LGPO.exe /t regpol.txt
continue if {exit code of action = 0}
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Click here to review this task in the bigfix.me Content Database.
Script Type URL
https://bigfix.me/cdb/fixlet/24619
    

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
jgstew -
to write to HKCU you use "User" instead of "Computer" in the above. Generally I set things in Group Policy Editor, export to registry.pol using LGPO util, then parse that into LGPO text, then use that in a fixlet.
lxuuym1 -
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\QuietHours] "Enable"=dword:00000001 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications] "NoToastApplicationNotification"=dword:00000000 I want to install this two reg using lgpo.exe /t lgpo.txt. your script put in hklm key. how to do it for current user or all users.
JasonWalker -
If you are licensed for Compliance, the CIS / USGCB content has good examples for Relevance checks for the more difficult items like password policy. Then I use LGPO to apply changes rather than Bigfix's default regedit / secedit commands, mostly to make it easier to hand off a gpresult export for external auditors.
jgstew -
The trick is that it is much harder to write relevance for the examples you bring up rdshift, but even then there are possibilities, but using Local GPO for registry settings is by far the easiest option.
JasonWalker -
I did not include the function in my example, but LGPO can also ingest secedit.inf files for things like renaming accounts, password policy, etc. And can apply Audit.csv settings for Advanced Audit Configuration policies. Basically everything that you can configure in the Local Group Policy management console.
rdshift -
It seems like this text-based approach only works with registry-friendly entries. You'd have to use registry.pol files or another approach (wmic, net, etc.) for policies with no registry entry, such as renaming administrator or guest, or for setting password lockout policies.
jgstew -
FYI the unconfigured maximum appears to be 20480KB on Windows 10 so this effectively quadruples the max size.