Wanted to use group policy to disable icmp redirect

Found here




By default MSS settings are not visible in Windows Operating system and Servers.

Eg. MSS: (AutoAdminLogon) Enable Automatic Logon, MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes etc

These additional group policy settings were developed by the Microsoft Solutions for Security group and are documented in the appropriate security guides.

For Windows Server 2008 is available here: http://www.microsoft.com/en-us/download/details.aspx?id=17606

There are two methods to enable MSS settings :

1.       Using Microsoft Security Compliance tool.
2.       Editing sceregvl.inf file.

  • Using Microsoft Security Compliance tool.

1.       Download Security compliance manager from here : http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx
2.       Install SCM
3.       After installing SCM, copy  “LocalGPO.msi” file from the following path: “C:\Program Files (x86)\Microsoft Security Compliance             Manager\LGPO\LocalGPO.msi”
4.       Run and install the file “LocalGPO.msi” on the server.
5.       Open command prompt and browse to : “C:\Program Files (x86)\LocalGPO”
6.       Run following command “Cscript LocalGPO.wsf /ConfigSCE”
7.       Now MSS Settings will be visible in Security Options in Local Group policy settings.

  • Editing sceregvl.inf file.

1.       Browse to %systemroot%\inf
2.       Take ownership of sceregvl.inf and full access on your ID.
3.       Open sceregvl.inf using notepad.
4.       Scroll down to [Register Registry Values] part and copy the contents of this file under [Register Registry Values].
5.       Now browse to [Strings] part and copy the contents of this file under [Strings].
6.       Save sceregvl.inf
7.       Run this command on elevated command prompt “regsvr32 scecli.dll
8.       Now MSS Settings will be visible in Security Options in Local Group policy   settings.

Powershell to add remove computers from group policy security filter

Install Group Policy Management (on a server 2008 R2 or higher)

Then you are able to run import-module grouppolicy

So, to add a computer to a ‘security filter’ you need to add GpoApply (which is both read and apply permissions) and it will then show in the security filtering pane

The command to do so is

Set-GPPermissions -Name “MyTest” -PermissionLevel GpoApply -TargetName “TheComputer” -TargetType Computer

To Remove the computer is quite simple, same command but set permissionlevel to none

Set-GPPermissions -Name “MyTest” -PermissionLevel None -TargetName “TheComputer” -TargetType Computer