New Policy Cmdlets for Nano Server
We have just released another set of new cmdlets intended for use on Nano Server for managing local policy. Although Nano Server doesn’t support Group Policy, it does support local policy. Previously, we released Security cmdlets to deal with .INF and .CSV files. Today, we released the GPRegistryPolicy cmdlets which will deal with .POL files containing registry policy settings.
.POL files can be generated from GPO Backups, or they can be generated with
Export-GPRegistryPolicy. POL files will have either Local Machine or Local User registry keys, which must be specified to the
Export-GPRegistryPolicy cmdlets. For Nano Server, all relevant settings will be Local Machine only.
Now that you can import and export .POL, .INF, and .CSV files to Nano Server, you can start applying security baselines to Nano Server.
If you want to use the Security Baselines for Windows Server, you can download baselines in GPO format here: http://blogs.technet.com/b/secguide/archive/2016/01/22/security-baseline-for-windows-10-v1511-quot-threshold-2-quot-final.aspx
After extracting the attached .zip onto the Windows Server you wish to manage, there will be several GPOs in the “GPOs” folder. From the GPO you wish to import, go to: DomainSysvol\GPO\Machine
If there are .POL files in the root of this folder, you can remotely invoke the following to import the registry values in that .POL file into the registry of the server
Import-Module GpRegistryPolicy #replace this string with the path to the .pol file $GpoPol = "c:\GPO\domainSysvol\GPO\Machine\registry.pol" Import-GPRegistryPolicy -Path $GpoPol -LocalMachine
If there are advanced audit or security template files in this folder, they will be in: DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv or DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf respectively.
You can remotely invoke the following to import both advanced audit and security template settings to the server:
Import-Module SecurityCmdlets #replace this string with the path to the .INF file $SecInf = "c:\GPO\DomainSysvol\GPO\\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" $AuditCsv = "c:\GPO\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv" Restore-SecurityPolicy -Path $secInf Restore-AuditPolicy -Path $auditCsv
Update 5/31/2016: We updated the blog title and first paragraph to clarify that Group Policy is not supported on Nano Server. These new cmdlets are used for managing local policy.