What is the best way to apply a AD GPO (pol, adm and sec.inf) to an Offline PC?

in a segue to the original question: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23112437.html

I realize now that my efforts may have been misguided.  What would be the best way to implement a new GPO onto a laptop if that said laptop did not have communication with the a AD DC (at least not for a while).

As we do not have direct access to these laptops, we're looking into any options to do this on the CLI.

I have looked into MS's FDCC tool, but am having trouble recompiling it with our hybrid FDCC GPO.
http://blogs.technet.com/fdcc/

any hints or guidance would be much appreciated.

thanks.
LVL 1
BlademonkeyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PlaceboC6Commented:
Could try messing with the local group policy.

Start / Run / gpedit.msc

ADM files etc are in C:\windows\system32\group policy

Is a hidden folder.
0
SteveH_UKCommented:
(not to be taken too seriously....)

The best way is to ... connect ... the computer (via a vpn, dial-up or direct connection) and then apply the GPO online.

Not sure another way is actually possible.

(However, registry settings can be applied by exporting the registry key Software\Policies from the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER roots from an equivalent computer and user combination)
0
BlademonkeyAuthor Commented:
unfortunately, we cannot apply the settings interactively, hence the request for a CLI tool.

0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

SteveGTRCommented:
By CLI you mean command line interface? To be run on the laptops manually? If you have no access to the machines then that will be hard to do.

secedit can be used to apply policies to the laptops.
0
BlademonkeyAuthor Commented:
I can run CLI by compiling scripts that we deploy.  
that's not the hard part for us.  
the script are run by the user (and temporarily elevated to local admin).

thanks for the secedit bit, I have a secedit portion added.

any suggestions for pol files?
0
PlaceboC6Commented:
Set your explorer to show hidden files.

Go to the windows\system32\group policy folder and take a peak......

That's where the local policy is at.
0
BlademonkeyAuthor Commented:
I realize that is where the files are.  

are you saying that i can just copy the new pol and adm files to the laptops under this location and the settings will be "updated?"

0
PlaceboC6Commented:
I have set up a local policy on system A,  then copied that Group Policy folder on top of the local policy on System B and C and it duplicated the settings,  yes.

I intially configured the policy with gpedit.msc so that it modifies the contents of that folder.  Then copied it across the board to "special" systems that needed a local policy.  Of course that applies to everyone that logs in to the machine.

To recover from it,  you can rename the folder and reboot.

Toy with it and see what you get.
0
BlademonkeyAuthor Commented:
do i need to copy the secedit.sdb file as well?
0
PlaceboC6Commented:
I usually copied the entire Group Policy folder.
0
matrixnzCommented:
(No Point Comment)

PlaceboC6 is correct

Use GPEdit.msc on a local system make required changes then copy the C:\Windows\System32\GroupPolicy folder to other machines, the Local Group Policies should take effect straight away, you can run gpupdate /force as well to refresh the policies.

Cheers
0
BlademonkeyAuthor Commented:
I tried this but the settings did not actually take.
0
BlademonkeyAuthor Commented:
I ended up creating a POL to Reg converter on my own.

This solved my problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.