Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Puppet Camp East, Converting Group Policy settings to Puppet manifests, Shane Smith, athenahealth


Published on

The three main categories of Windows Group Policy setting (Registry, Audit and Security Extensions). How we approached the need to be able to apply NIST configuration settings across machines consistently across our organization to domain joined and no-domain joined servers.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Puppet Camp East, Converting Group Policy settings to Puppet manifests, Shane Smith, athenahealth

  1. 1. Transferring System Setting Management from Group Policy to Puppet Shane Smith Site Reliability Engineer Athenahealth
  2. 2. Why Did We Move From Group Policy to Puppet  Consistently applied inside or outside a domain  Support Infrastructure As Code  Improved monitoring and alerting
  3. 3. Group Policy Computer Policy Components  GPO: A unique instance of a Group Policy Template referenced in Active Directory. This is the object that can be linked using a shortcut pointer to Sites, Domains or Organizational Units in AD  GPT: The standard structure for a Group Policy Object. This is the folder named after the Globally Unique ID (GUID) value of the Group Policy Object. So for the purpose of migrating group policy settings into Puppet:  GPO links determines what systems get the profile  GPT defines what settings are in the profile
  4. 4. Group Policy Computer Setting Key Files  Registry.pol: File stores non-security related registry settings defined in a Group Policy. The formatting used to store this does not use a standard encoding format. This is based on legacy Window NT formatting. This file is located under a GPT in <Group Policy GUID>Machine. Tools exist to convert this into a standard readable format; such as:  GptTmpl.inf: stores Computer policy contains settings that are designated as Security- specific settings. These can be registry settings, Services, Log configurations, etc. This file is located under a GPT in <Group Policy GUID>Machinemicrosoftwindows ntSecEdit. This file is a readable inf file.  Registry.xml: stores audit settings preferences that should be applied using a group policy. The file is found in <Group Policy GUID>MachinePreferencesRegistry. This file is a standard XML file.  Audit.csv stores audit settings that have been defined to apply using a group policy. The file is found in <Group Policy GUID>Machinemicrosoftwindows ntAudit. This file is a readable csv file.
  5. 5. How We Approached the Migration of Group Policy  Key goal: Move our National Institute of Standards and Technology (NIST) settings to Puppet and report any issues applying settings  We wanted to be able to phase the settings migration to Puppet and revert to Group Policy quickly if needed  Reviewed tools/projects that were out there out there and decided that it would be best to write our own code
  6. 6. WinPuppetTools Module Overview  Code that we wrote as part of our internal Puppet Module for automating and simplifying operational tasks  This code is publicly available on GitHub:  WinPuppetToools currently supports migrating computer registry policy and preference settings, as well as audit settings, into a puppet manifest  It is a work in-progress and we will add more functionality and will update this code as time permits  Built using code from an old version of GPRegistryPolicy PowerShell code for processing and converting registry.pol data into readable content
  7. 7. WinPuppetTools Requirements  This module currently has one public function Convert-GpoToPuppetManifest that converts registry settings and audit settings from a Group Policy to a Puppet manifest.  Requires PowerShell 5  The outputted manifest will require the registry and auditpol module code implemented in your environment. These can be found on Puppet Forge.  
  8. 8. WinPuppetTools Workflow Overview  Process admx and adml files to link administrative template settings with the appropriate description in the language files and add to normalized array of GPAdminTemplateRecord entries  Read in policy definition spreadsheet data for settings and descriptions  Find and read through the .pol and .xml and registry settings in the policy path provided and add to normalized array of registry settings  Process the GptTmpl.inf registry settings and add to normalized array of registry settings. Note: There are many more categories that can be contained here that are not processed by this code such as service startup, folder permissions, event log configuration, etc.  Create the manifest and convert the normalized settings into puppet formatted manifest entries for registry settings  Process and convert the policy audit settings; if audit parameters are passed  Complete the writing of the manifest file and exit the code
  9. 9. Convert-GpoToPuppetManifest Parameters  GPOFolderPath: Path to the GPO folder to be processed. (Required)  PolicyDefinitionsRepository: Path to the domains Policy Definitions folder; usually <d omain DNS name>SYSVOLcontoso.comPoliciesPolicyDefinitions. (Required)  ProfileName: This is the friendly name of the policy used in creating the output folder. (Required)  policyPathDictionary: Path to the copy of the Microsoft Excel spreadsheet PolicySettin gsDescriptions.csv.(Required)  IncludeAuditSettings: Switch to indicate that audit settings should be converted along with the registry settings. (Optional)  AuditSettingsFilePath: Path to the audit.csv file that contains the settings that should be converted. (Optional)
  10. 10. Convert-GpoToPuppetManifest Example
  11. 11. Convert-GpoToPuppetManifest Enumerating Settings and Descriptions
  12. 12. Convert-GpoToPuppetManifest Complete
  13. 13. Convert-GpoToPuppetManifest Manifest
  14. 14. Questions