Convert a GPO to PowerShell DSC

This is an introduction on how to convert the Microsoft Windows Baseline GPOs to a DSC config. The Baselines are recommended settings from Microsoft and provide a basis of security for the operating system.

The version for this example is Windows 10 1607 & Windows Server 2016

To apply the Security Baseline to your system an additional local administrator account is required, because the local administrator account will be disabled.

Software dependencies

  • PowerShell 5.1
  • PowerShell-Modules

Getting Started

  1. Software dependencies

    In order to convert the GPOs into a DSC configuration you need two PowerShell modules:

    • PowerShellAccessControl
    • BaselineManagement-Modul
    1. Download ‘PowerShellAccessControl’ by following this link: https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83 and copy the downloaded folder in the following path: ‘C:\Program Files\WindowsPowerShell\Modules’

    2. To install the ‘BaselineManagement-Modul’ simply type the commands in the PowerShell with administrator privileges:

      Install-Module BaselineManagement
      

      possible notifications in PowerShell:

      Nuget provider is required to continue PowerShellGet requires NuGet provider version ‘2.8.5.201’ or newer to interact with NuGet-based repositories. The Nuget provider must be available in ‘C:\Program Files\PackageManagement\ProviderAssemblies’ or ‘C:\Users$env:UserName\Appdata\Local\PackageMangaement\ProviderAssemblies’. You can also install the NuGet provider by running ‘Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force’. Do you want PowerShellGet to install and import the NuGet provider now? [Y] Yes [N] No [S] Suspend [?] Help (default is “Y”):

      Press “Y” and move on.


      Untrusted repository You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running he Set-PSRepository cmdlet. Are you sure you want to install the modules from ‘PSGallery’? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “N”):

      Press “A” and move on.

  2. Creating the DSC-Configuration

    1. Follow the link: https://www.microsoft.com/en-us/download/details.aspx?id=55319 to select the appropiate Operating system / Version. In this example we choose: ‘Windows 10 Version 1607 and Windows Server 2016 Security Baseline’ and save it in path: ‘C:'

    2. Open PowerShell with administrator privileges and use the following example:

    ConvertFrom-GPO -Path '.\Windows 10 Version 1607 and Windows Server 2016 Security Baseline\GPOs\' -OutputConfigurationScript
    

    Completed you will see a folder in ‘C:' named ‘Output" in which you find two files: ‘DSCFromGPO.ps1’ and ‘localhost.mof’ 3) To start the DSC-configuration type the following command in PowerShell:

    Start-DSCConfiguration -path '.\Output\' -wait -verbose
    

    This command will apply the Security Baselines from the localhost.mof. Also this command will give you an overview in the Shell itself 4) Troubleshoot on a test machine with the help of the red marked errors when applying the DSC. Follow the Troubleshoot.md 5) Run ‘DSCFromGPO.ps1’ in ‘.\Output’ to generate a new .mof file.

Troubleshoot

For a clean maintenance we advise to fix and adjust the file as instructed and to collect the doings in seperate files:

  1. Cut all HKCU-Entries in the DSCFromGPO.ps1 which are commented and paste them into a empty file.
  2. In ‘DSCFromGPO.ps1’ the Account Policy ‘Account_Lockout_threshold’ needs to be applied before ‘Reset_account_lockout_counter_after’ due to dependency. Write what you did into another file.
  3. While generating the DSCFromGPO.ps1 script multple UserRightsAssignment-Resources are going to be created, but duplicates are commented out despite some of them having a different identity-valueset.

Make sure that the identities of the following UserRightsAssignment Resources are identical to the identities of the mentioned UserRightsAssignment Resources in your generated DSCFromGPO.ps1 script. Don’t forget to keep your changes on track with a new file.

UserRightsAssignment 'UserRightsAssignment(INF): Allow_log_on_locally'  
{  
    Policy = 'Allow_log_on_locally'  
    Force = $True  
    Identity = @('*S-1-5-32-544','S-1-5-32-545')  
}  
UserRightsAssignment 'UserRightsAssignment(INF): Deny_access_to_this_computer_from_the_network'  
{  
    Policy = 'Deny_access_to_this_computer_from_the_network'  
    Force = $True  
    Identity = @('*S-1-5-32-546','*S-1-5-113','*S-1-5-114')  
}  
UserRightsAssignment 'UserRightsAssignment(INF): Enable_computer_and_user_accounts_to_be_trusted_for_delegation'  
{  
    Policy = 'Enable_computer_and_user_accounts_to_be_trusted_for_delegation'  
    Force = $True  
    Identity = @('*S-1-5-32-544')  
}  
UserRightsAssignment 'UserRightsAssignment(INF): Access_this_computer_from_the_network'  
{  
    Policy = 'Access_this_computer_from_the_network'  
    Force = $True  
    Identity = @('*S-1-5-9', '*S-1-5-11', '*S-1-5-32-544','*S-1-5-32-555')  
}