Windows Local Policy

(imported topic written by KCQB_Robert_Martin)

Does anyone have a fixlet or know how to validate if a Windows local policy is set? For example: I need to make sure Device: Allowed to format and eject removable media to adminstrators. According to the out of the box content this is checked in the reqistry at:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD
but it doesn’t exist
and it is actually located in the local policy at:

Computer Configuration\Windows Settings\Security Settings\Local Policies\SecurityOptions\Devices: Allowed to format and eject removable media

I’ve attached a screen shot if that will help.

(imported comment written by jgstew)

It seems like you could just query both “Computer Configuration\Windows Settings\Security Settings\Local Policies\SecurityOptions\Devices” AND “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD” to see if it is set in either place.

Also, It is possible to check the LGPO using:
http://blogs.technet.com/cfs-filesystemfile.ashx/__key/telligent-evolution-components-attachments/01-5808-00-00-03-05-16-48/LGPO_2D00_Utilities.zip

This is not exactly what you are looking for, but here are some examples using the above utilities to set LocalGPO.

http://bigfix.me/fixlet/details/3747

http://bigfix.me/fixlet/details/3741

You can use the same tools to query Local GPO instead of set.