Convert a GPO to PowerShell DSC

This is an introduction on how to convert the Microsoft Windows Baseline GPOs to a DSC configuration. The Baselines are recommended settings from Microsoft and provide a basic set of security settings for the operating system.

The version for this example is Windows 10 1607 & Windows Server 2016.

To apply the Security Baseline to your system an additional local administrator account is required, because the local administrator account will be disabled.

Software Dependencies

  • PowerShell 5.1
  • PowerShell-Modules

Getting Started

  1. Software dependencies

    In order to convert the GPOs into a DSC configuration you need two PowerShell modules:

    • PowerShellAccessControl
    • BaselineManagement
    1. Download PowerShellAccessControl and copy the downloaded folder in the following path: C:\Program Files\WindowsPowerShell\Modules

    2. To install the ‘BaselineManagement’ module simply type the commands in the PowerShell with administrator privileges:

      Install-Module BaselineManagement
      

      Possible notifications in PowerShell:

      Nuget provider is required to continue PowerShellGet requires NuGet provider version ‘2.8.5.201’ or newer to interact with NuGet-based repositories. The Nuget provider must be available in ‘C:\Program Files\PackageManagement\ProviderAssemblies’ or ‘C:\Users$env:UserName\Appdata\Local\PackageMangaement\ProviderAssemblies’. You can also install the NuGet provider by running ‘Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force’. Do you want PowerShellGet to install and import the NuGet provider now? [Y] Yes [N] No [S] Suspend [?] Help (default is “Y”):

      Press “Y” and move on.


      Untrusted repository You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running he Set-PSRepository cmdlet. Are you sure you want to install the modules from ‘PSGallery’? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “N”):

      Press “A” and move on.

  2. Creating the DSC configuration

    1. Follow this link to select the appropriate operating system / version. In this example we choose: Windows 10 Version 1607 and Windows Server 2016 Security Baseline and save it in path: ‘C:'

    2. Open PowerShell with administrator privileges and use the following command:

    ConvertFrom-GPO -Path '.\Windows 10 Version 1607 and Windows Server 2016 Security Baseline\GPOs\' -OutputConfigurationScript
    

    Completed you will see a folder in ‘C:' named ‘Output" in which you find two files: ‘DSCFromGPO.ps1’ and ‘localhost.mof’

    1. To start the DSC configuration, type the following command in PowerShell:
    Start-DSCConfiguration -path '.\Output\' -wait -verbose
    

    This command will apply the Security Baselines from the localhost.mof. Also this command will give you an overview in the shell itself.

    1. Troubleshoot the results on a test machine with the help of the red marked errors when applying the DSC.

    2. Run ‘DSCFromGPO.ps1’ in ‘.\Output’ to generate a new .mof file.

Troubleshoot

For a clean maintenance we advise to fix and adjust the file as instructed and to collect the open tasks in separate files:

  1. Cut all HKCU-Entries in the DSCFromGPO.ps1 which are commented and paste them into an empty file.
  2. In ‘DSCFromGPO.ps1’ the Account Policy ‘Account_Lockout_threshold’ needs to be applied before ‘Reset_account_lockout_counter_after’ due to dependency. Document this into another file.
  3. While generating the DSCFromGPO.ps1 script multiple UserRightsAssignment resources are going to be created, but duplicates are commented out despite some of them having a different identity-value set.

Make sure that the identities of the following UserRightsAssignment resources are identical to the identities of the mentioned UserRightsAssignment resources in your generated DSCFromGPO.ps1 script. Don’t forget to keep your changes on track with a new file.

UserRightsAssignment 'UserRightsAssignment(INF): Allow_log_on_locally'
{
    Policy = 'Allow_log_on_locally'
    Force = $True
    Identity = @('*S-1-5-32-544','S-1-5-32-545')
}
UserRightsAssignment 'UserRightsAssignment(INF): Deny_access_to_this_computer_from_the_network'
{
    Policy = 'Deny_access_to_this_computer_from_the_network'
    Force = $True
    Identity = @('*S-1-5-32-546','*S-1-5-113','*S-1-5-114')
}
UserRightsAssignment 'UserRightsAssignment(INF): Enable_computer_and_user_accounts_to_be_trusted_for_delegation'
{
    Policy = 'Enable_computer_and_user_accounts_to_be_trusted_for_delegation'
    Force = $True
    Identity = @('*S-1-5-32-544')
}
UserRightsAssignment 'UserRightsAssignment(INF): Access_this_computer_from_the_network'
{
    Policy = 'Access_this_computer_from_the_network'
    Force = $True
    Identity = @('*S-1-5-9', '*S-1-5-11', '*S-1-5-32-544','*S-1-5-32-555')
}

If you located and corrected all errors as stated above you can compile your Security Baseline finally as MOF and use it on existing nodes. Alternatively upload this ps1 file to XOAP and use it inside the config.XO module.