The document describes how an organization migrated system settings management from Group Policy to Puppet. It outlines reasons for the move including consistent application on or off domain, treating infrastructure as code, and improved monitoring. It details key Group Policy components and files that store settings. The approach taken was to phase settings migration to Puppet while maintaining ability to revert to Group Policy. A WinPuppetTools module was created to automate the process, taking settings from Group Policy and outputting a Puppet manifest. The module processes various Group Policy files and settings, linking them to descriptions to create normalized data and output a formatted Puppet manifest.
2. Why Did We Move From Group Policy to
Puppet
Consistently applied inside or outside a domain
Support Infrastructure As Code
Improved monitoring and alerting
3. Group Policy Computer Policy
Components
GPO: A unique instance of a Group Policy Template
referenced in Active Directory. This is the object
that can be linked using a shortcut pointer to Sites,
Domains or Organizational Units in AD
GPT: The standard structure for a Group Policy
Object. This is the folder named after the Globally
Unique ID (GUID) value of the Group Policy Object.
So for the purpose of migrating group policy settings
into Puppet:
GPO links determines what systems get the profile
GPT defines what settings are in the profile
4. Group Policy Computer Setting Key Files
Registry.pol: File stores non-security related registry settings defined in a Group Policy.
The formatting used to store this does not use a standard encoding format. This is based
on legacy Window NT formatting. This file is located under a GPT in <Group Policy
GUID>Machine. Tools exist to convert this into a standard readable format; such as:
https://sdmsoftware.com/389932-gpo-freeware-downloads/registry-pol-viewer-utility/
GptTmpl.inf: stores Computer policy contains settings that are designated as Security-
specific settings. These can be registry settings, Services, Log configurations, etc. This
file is located under a GPT in <Group Policy GUID>Machinemicrosoftwindows
ntSecEdit. This file is a readable inf file.
Registry.xml: stores audit settings preferences that should be applied using a group
policy. The file is found in <Group Policy GUID>MachinePreferencesRegistry. This file is
a standard XML file.
Audit.csv stores audit settings that have been defined to apply using a group policy. The
file is found in <Group Policy GUID>Machinemicrosoftwindows ntAudit. This file is a
readable csv file.
5. How We Approached the Migration of
Group Policy
Key goal: Move our National Institute of Standards and Technology (NIST)
settings to Puppet and report any issues applying settings
We wanted to be able to phase the settings migration to Puppet and revert to
Group Policy quickly if needed
Reviewed tools/projects that were out there out there and decided that it
would be best to write our own code
6. WinPuppetTools Module Overview
Code that we wrote as part of our internal Puppet Module for automating and
simplifying operational tasks
This code is publicly available on GitHub:
https://github.com/ShaneSmith-code/WinPuppetTools
WinPuppetToools currently supports migrating computer registry policy and preference
settings, as well as audit settings, into a puppet manifest
It is a work in-progress and we will add more functionality and will update this code as
time permits
Built using code from an old version of GPRegistryPolicy PowerShell code for processing
and converting registry.pol data into readable content
7. WinPuppetTools Requirements
This module currently has one public function Convert-GpoToPuppetManifest
that converts registry settings and audit settings from a Group Policy to a
Puppet manifest.
Requires PowerShell 5
The outputted manifest will require the registry and auditpol module code
implemented in your environment. These can be found on Puppet Forge.
https://forge.puppet.com/puppetlabs/registry
https://forge.puppet.com/fervid/auditpol
8. WinPuppetTools Workflow Overview
Process admx and adml files to link administrative template settings with the appropriate
description in the language files and add to normalized array of GPAdminTemplateRecord
entries
Read in policy definition spreadsheet data for settings and descriptions
Find and read through the .pol and .xml and registry settings in the policy path provided and
add to normalized array of registry settings
Process the GptTmpl.inf registry settings and add to normalized array of registry settings.
Note: There are many more categories that can be contained here that are not processed by
this code such as service startup, folder permissions, event log configuration, etc.
Create the manifest and convert the normalized settings into puppet formatted manifest
entries for registry settings
Process and convert the policy audit settings; if audit parameters are passed
Complete the writing of the manifest file and exit the code
9. Convert-GpoToPuppetManifest
Parameters
GPOFolderPath: Path to the GPO folder to be processed. (Required)
PolicyDefinitionsRepository: Path to the domains Policy Definitions folder; usually <d
omain DNS name>SYSVOLcontoso.comPoliciesPolicyDefinitions. (Required)
ProfileName: This is the friendly name of the policy used in creating the output
folder. (Required)
policyPathDictionary: Path to the copy of the Microsoft Excel spreadsheet PolicySettin
gsDescriptions.csv.(Required)
IncludeAuditSettings: Switch to indicate that audit settings should be converted along
with the registry settings. (Optional)
AuditSettingsFilePath: Path to the audit.csv file that contains the settings that should
be converted. (Optional)