MSS Groupp Policy Settings

Post author:admin
Post published:September 1, 2016
Post category:Group Policy / IT / Microsoft / Windows Server

As per the new RMF directive, we are to follow the DISA STIG benchmark for Windows 7 and Windows Server 2012 R2. Although we will have months to go, I have started looking at implementing the security controls. “MSS” Group Policy are missing.

The “MSS” Group Policy settings are not and never have been included with a default, out-of-the-box installation of Active Directory. They were an add-on developed by a consulting group out in the field, and the settings were deemed so useful that they were included with the “Solution Accelerator” known as Security Compliance Manager. (It’s been known under various similar names previously, such as “Windows 7 Security Compliance Management Toolkit.”)
The problem is, the Security Compliance Manager comes with a whole bunch of junk that you do not want, such as a SQL Express instance. Junk that you really do not want to install on a domain controller. You only want to extract from it just the piece that you want, which is the “LocalGPO.msi” package.

Download the Security Compliance Manager installation. Run it on your server.Run the .exe, but do not continue with the installation. The installer deflates some files into a temp directory on the hard drive, such as C:a1b2c3d4e5f6a0b1c2 or D:a1b2c3d4e5f6a0b1c2. In that directory you will find a data.cab file. Open that file, and extract the file named GPOMSI and rename that file to LocalGPO.msi. Now cancel the SCM installer and it will delete the temp files.

Windows 7 and Windows Server 2012 R2

Install LocalGPO.msi on your server. Then launch the new “LocalGPO Command-line” shortcut that you will find in your Start Screen. Run it as Administrator. Type cscript LocalGPO.wsf /ConfigSCE.

Windows Server 2012 R2

The version that is hosted on this Microsoft blog written by Aaron Margosis contains a download link to a version of the MSS Extension that works for me with 2012 R2 with no ‘hacking’ required. That’s a link to a zip file. Inside the zip file, you will see a directory named ‘Local_Script’. Inside that folder, you will find a subfolder named ‘MSS_Extension’. Simply transfer that MSS_Extension directory to your 2012 R2 domain controller. Then open a command prompt and browse to that directory. Then run:
Cscript LocalGPO.wsf /ConfigSCE

I am a goal-oriented Infrastructure System Engineer and Information System Security Officer with over 10 years’ of experience in planning and implementation of network, servers, virtualization and security technologies . Background includes hands-on experience with multi-platform, LAN/WAN environments, assessing and implementation of security controls in using ODAA and RMF guidance. Demonstrated record of success in migrating, troubleshooting Servers and increasing efficiency.

You Might Also Like

Skype for Business Server 2019 : Update fails

Installing Azure Stack Development Kit on my lab – Part II : Setup PowerShell Module for ASDK

Updating/Changing DNS IPs in VMware vCenter Appliance and ESXi hosts