Background:
We use ConvertFrom-GPO to convert GPO's to MOF files for the validation of settings only. We never use the MOF to apply settings, we allow the GPO system to do that.

We have a GPO in the domain.
GPO is applied to a computer.
I take a backup of the GPO and convert it to a DSC using ConvertFrom-GPO.
I then take the MOF created and use that to test to ensure all settings were applied properly.

Every time I run Test-DSCConfiguration for any registry entry that has a value I get this:
"Expected to find an array value for property ValueData in the current values, but it was either not present or was null. This has caused the test method to return false."

If I look in the registry the value is present as set by the GPO.

So I decided to let the MOF set the value in the registry. That works fine and then the test will pass. But the value in the registry did not change. Then to test I edited the value in the registry and re-ran the Test-DSCConfiguration. It passed (this is a big problem as the DSC is returning true even though the value in the registry is wrong).

Thus this tells me you are no longer looking in the registry as a result of your change from PSDscResources module to RegistryPolicyFile. You are only looking at the GPO config on the server. The whole point of this DSC module for me was to be able to test each setting of a GPO against a running system to ensure that all values are indeed set and honored. Right now if someone were to change a value and I tested the system it would pass as it would only be asking the GPO database what it thought the system was set to.

I guess I will need to roll back to the version that used PSDscResources, as that actually looked at the registry. This is unfortunate as that had issues too especially with key names that used /'s. However I still think you have a problem here in that the Test-DSCConfiguration is failing to return proper results due to the way it is parsing the registrypolicyfile. I should be able to test the application of a GPO without having the DSC also set all the settings. GPO should apply and DSC should validate in this situation.

We check to ensure that all GPO settings are consistent with the GPO every 30 minutes.

Using BaselineManagement to convert GPOs to PS for import into DSC configurations seems to convert the policy correctly, and specified the PowerShellAccessControl module to import into DSC.

Azure State Configuration doesn't have this module, and trying to import the module gives the error "Orchestrator.Shared.AsyncModuleImport.ModuleImportException: An error occurred during module validation."

The module won't import into powershell either.

Grabbing the V4 preview module fails with the error "Orchestrator.Shared.AsyncModuleImport.ModuleImportException: Cannot import the module of name PowerShellAccessControl_v4.0_preview_20150417, as the module structure was invalid."

Is there a version which can be imported and used, or would BaselineManagement need fundamental changes to allow GPOs converted to be imported as DSC configurations?

Thanks in advance.

Hi,
When i use ConvertFrom-GPO -Path "E:\DSC\GPO\{7db8ad33-c727-46a5-a576-0a1277fb79d0}" the index of the ini section appear to null.

Index operation failed; the array index evaluated to null.
At C:\Program Files\WindowsPowerShell\Modules\BaselineManagement\2.4.5000\Helpers\Functions.ps1:493 char:13
+             $ini[$section][$name] = $value.Trim()
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArrayIndex

Thanks ;-)

Where can I get the Read-PolFile function? I can't find any reference to it anywhere except in this module...

Read-PolFile : The term 'Read-PolFile' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Program Files\WindowsPowerShell\Modules\BaselineManagement\1.8.0\BaselineManagement.psm1:199 char:29
+         $registryPolicies = Read-PolFile -Path $polFile.FullName
+                             ~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Read-PolFile:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Hey, when I try to convert the latest Security Baseline for 20H2 with the latest BaselineManagement Version 3.1.1 I get the following output:

The GptTmpl.inf file contains an entry 'MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding' in the Registry section that is an unknown value in the module file
Helpers\SecurityOptionData.psd1.
At C:\Program Files\WindowsPowerShell\Modules\BaselineManagement\3.1.1\Parsers\GPO\Registry.ps1:389 char:9
throw "The GptTmpl.inf file contains an entry '$Key' in the R ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : OperationStopped: (The GptTmpl.inf...ptionData.psd1.:String) [], RuntimeException
FullyQualifiedErrorId : The GptTmpl.inf file contains an entry 'MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding' in the Registry section that is an unknow
n value in the module file Helpers\SecurityOptionData.psd1.

Maybe this can be added pretty easily.
You can download the Baseline following this link Security Baseline

In README.md I saw a minor spelling mistake.
Thanks for the awesome module!

GPRegistrPolicyDSC

Should be

GPRegistryPolicyDSC

When converting a group policy to DSC register values are converted to 'RegisterPolicyFile' values, like for instance:

RegistryPolicyFile 'Registry(POL): HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators'
{
  Key = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI'
  ValueData = 0
  TargetType = 'ComputerConfiguration'
  ValueType = 'Dword'
  ValueName = 'EnumerateAdministrators'
}

After the mof file is created and applied, group policy fails with a registry error:
The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.

Sadly eventlog does not seem to indicate any useable information as to what the issue was, but after enabling debug logging for group policy I found the following error(s) in de debug log:

GPSVC(5b8.fb8) 12:12:32:689 AddPolicyPermissionOnKey: Setting permission on reg key on <HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI>.
GPSVC(5b8.fb8) 12:12:32:689 SetPolicyOwnerOnKey: Setting owner on reg key on <HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI>.
GPSVC(5b8.fb8) 12:12:32:689 AddPolicyPermissionOnKey: Setting permission on reg key on <HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI>.
GPSVC(5b8.fb8) 12:12:32:689 SetPolicyOwnerOnKey: Setting owner on reg key on <HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI>.
GPSVC(5b8.fb8) 12:12:32:689 SetRegistryValue: Failed to open key <HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI> with 87
GPSVC(5b8.fb8) 12:12:32:689 ParseRegistryFile: Callback function returned false.

In the same log I also noticed that other register paths are displayed differently, for instance:

GPSVC(5b8.fb8) 12:12:32:678 SetPolicyOwnerOnKey: Setting owner on reg key on <Software\Microsoft\Windows\CurrentVersion\Policies>.

Based on this I suspected that considering the registry.pol file the settings are added to by 'RegistryPolicyFile ' are already aimed at Machine or User level, only the subpath is contained within the file.

If I manually change the exported register files to omit 'HKLM:' from the 'Key' value then the resulting mof file seems to apply correctly. So:

RegistryPolicyFile 'Registry(POL): HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators'
{
  Key = 'Software\Microsoft\Windows\CurrentVersion\Policies\CredUI'
  ValueData = 0
  TargetType = 'ComputerConfiguration'
  ValueType = 'Dword'
  ValueName = 'EnumerateAdministrators'
}

does work, policy processing runs without error and no longer an error is logged in the debug logging
(and more importantly, the register key/value is created)

https://github.com/Microsoft/BaselineManagement/search?q=wtf&type=Code&utf8=%E2%9C%93

that was a little surprising to find when my file failed to generate... :)

When Convertfrom-GPO is used, it is not able to parse one of the value/settings from Security settings downloaded from MS Security Baseline 2022 which is
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding=4,2
under
\Windows Server-2022-Security-Baseline-FINAL\GPOs\{E2B8214C-729F-4324-A876-F067E58B740B}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf

I had to manually remove this line from this GptTmpl.inf to run again the command successfully.

Hi,

I was given a "GPO export" of the SCM baseline "W2016 Member Server Secpol" and used this module to convert it to DSC. I thought all went well, as I saw no errors, checked the DSC for obvious issues, nothing.
I then went on to bake a new image on AWS Windows Server 2016 Datacenter (vanilla, no config), rebooted the machine and it ended up in a BSOD.
Without a reboot the machine stops responding after a few minutes and just dies.

I was able to reproduce the issue also on Azure VM, same OS.

I uploaded the DSC that I'm applying here: https://gist.github.com/davidobrien1985/b2f01dc4c47329db447e94c8e2e45e41

The only obvious things standing out are the following:

• a lot of registry configs don't have any values
  example: https://gist.github.com/davidobrien1985/b2f01dc4c47329db447e94c8e2e45e41#file-dscfromgpo-ps1-L206
  The actual pol file does have a value attached to it.

Is this a known issue? Does anybody have a working DSC config of this baseline?
I really do not want to apply pol and reg files to my servers.

Thanks!

It might be possible to accomplish this using aliases?

Write-DSCString : The Write-DSCString command was called but the parameters block is missing a property name
At C:\Program Files (x86)\WindowsPowerShell\Modules\BaselineManagement\4.1.1\Parsers\GPO\Registry.ps1:360 char:5
+     Write-DSCString -Resource -Name "Registry(POL): $(Join-Path -Path ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Write-DSCString

Write-DSCString : The Write-DSCString command was called but the parameters block is missing a property name
At C:\Program Files (x86)\WindowsPowerShell\Modules\BaselineManagement\4.1.1\Parsers\GPO\Registry.ps1:360 char:5
+     Write-DSCString -Resource -Name "Registry(POL): $(Join-Path -Path ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Write-DSCString

SecurityPolicyDsc\SecurityOption : At least one of the values '2147483640' is not supported or valid for property 'Network_security_Configure_encryption_types_allowed_for_Kerberos' on class 'SecurityOption'. Please specify only supported
values:
DES_CBC_CRC, DES_CBC_MD5, RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, FUTURE.
At line:2975 char:10
+          SecurityOption 'SecurityRegistry(INF): Network_security_Conf ...
+          ~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnsupportedValueForProperty,SecurityPolicyDsc\SecurityOption

Compilation errors occurred while processing configuration 'DSCFromGPO'. Please review the errors reported in error stream and modify your configuration code appropriately.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3917 char:5
+     throw $ErrorRecord
+     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (DSCFromGPO:String) [], InvalidOperationException
    + FullyQualifiedErrorId : FailToProcessConfiguration

Removing
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes

solves the issue

In this example it is wrapping the Arrays, is this expected behaviour?

Also a switch to use space indentation would be nice :)

There are currently three Pull requests dating back to January 2019 that are all failing their AppVeyor checks with the following error:

Import-Module ActiveDirectory
Import-Module : The specified module 'ActiveDirectory' was not loaded because no valid module file was found in any module directory.
At line:10 char:1
+ Import-Module ActiveDirectory
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (ActiveDirectory:String) [Import-Module], FileNotFoundException
    + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
 
Command executed with exception: The specified module 'ActiveDirectory' was not loaded because no valid module file was found in any module directory.

Affected pull requests: #23, #25 and #26

The build configuration isn't using an appveyor.yml file so I can't debug the issue.

Can someone take a look at this?

The Microsoft security baselines have User Right Assignment rules in terms of a string of comma delimited SIDs and the SecurityPolicyDsc module expects an array of display names. As a result, if you convert the baseline GPO to DSC with the BaselineManagement module, all User Right Assignment rules will fail when calling Start-DscConfiguration targeting the resulting MOF file.

For example, the BaselineManagement module conversion has the following rule.

UserRightsAssignment 'INF_Access_this_computer_from_the_network'
{
	Policy = 'Access_this_computer_from_the_network'
	Identity = '*S-1-5-11,*S-1-5-32-544'
}

The above will fail to accurately evaluate the current setting or apply the desired state, but works if switched to the below.

UserRightsAssignment 'INF_Access_this_computer_from_the_network'
{
	Policy = 'Access_this_computer_from_the_network'
	Identity = 'Builtin\Administrators','NT Authority\Authenticated Users'
}

Hi,
I have an error when i convert from SCM to DSC with the command line :

ConvertTo-DSC -Type SCMxml -Path 'E:\DSC\Baselines\Windows Server 2012 R2-CPE-Dictionary.xml' -ComputerName Localhost

The command return :

ConvertFrom-SCMxml : The term ConvertFrom-SCMxml is not recognized as the name of a cmdlet, function, script file, or operable program. Check the 
spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:15

In order to continue testing I has change the name of the function "ConvertFrom-SCM" to "ConvertFrom-SCMxml" in the BaselineManagement.ps1 and it works but I do not know if this is good practice.

running the following command

ConvertFrom-ASC -Path .\download\BaselineConfiguration.json

Results in an Error :

Show-Menu : The term 'Show-Menu' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Program Files\WindowsPowerShell\Modules\BaselineManagement\2.8.8809\BaselineManagement.psm1:1410 char:29

•         $BaselineName = Show-Menu -sMenuTitle "Select a Valid Bas ...
  

•                         ~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Show-Menu:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

Please select a valid Baseline!
At C:\Program Files\WindowsPowerShell\Modules\BaselineManagement\2.8.8809\BaselineManagement.psm1:1418 char:17

•             Throw "Please select a valid Baseline!"
  

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (Please select a valid Baseline!:String) [], RuntimeException
  • FullyQualifiedErrorId : Please select a valid Baseline!

PowerShellAccessControl should be published to the gallery instead of just being in the "External DSC Resources" folder. We've had to publish this module to our internal nuget instance to make it available to DSC pull servers.

RequiredModules = @('PSDesiredStateConfiguration', 'GPRegistryPolicyParser', 'SecurityPolicyDSC', 'xAuditPolicy')

'PSDesiredStateConfiguration' should be 'PSDscResources'
'xAuditPolicy' should be 'AuditPolicyDsc'

WARNING: ConvertFrom-GPO:GPTemp.inf Security Log AND AuditLogRetentionPeriod heading not yet supported
WARNING: ConvertFrom-GPO:GPTemp.inf Application Log AND AuditLogRetentionPeriod heading not yet supported

When will these be supported ? Is there a roadmap somewhere.

We are enforcing legal banners on servers so we set the following keys (I changed the actual values to protect the innocent).

These are the values contained in the GPO backup (.{7C78F02A-DBCF-460D-8C0F-A7B5E8082F5B}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf)

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=1,"'Legal mumbo jumbo.'"

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,"'DONT HACK THIS STUFF BRO!'"

When I run ConvertFrom-GPO it throws an exception when it gets to these settings, due to the way they are double quoted and single quoted ("'message'").

This is the exception.

 PS>ConvertFrom-GPO -Path '.\GPObackups\sec_2016\{7C78F02A-DBCF-460D-8C0F-A7B5E8082F5B}\' -OutputPath .\2016\

Method invocation failed because [System.Management.Automation.ErrorRecord] does not contain a method named 'Trim'.
At C:\Users\user\Documents\WindowsPowerShell\Modules\BaselineManagement\2.8.8841\Helpers\Functions.ps1:191 char:42
+ ... g += "@'`n$($_.Trim("'").TrimStart("'").TrimEnd("'").TrimStart('"').T ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound

I get two of these exceptions, when running through the debugger I can confirm it's on these two items.

If I modify the lines in the GptTmpl.inf and replace the quotes with just single quotes, everything works prefect. In the short term i'll look into getting our legal banner to not have the extra quotes, I'm sure that'll be fine, I wanted to report the issue in case other ran into it.

I'm getting the following error when I'm tying to convert the GPO to DCS from gpo backed folders.
These GPO are out of the box plus the GPO imported from Microsoft Compliance toolkit. Any help are appreciated.

VERBOSE: DSCFromGPO -OutputPath 'C:\ALLibraries\ConvertedGPOtoDSC'
VERBOSE: Output configuration script to C:\ALLibraries\ConvertedGPOtoDSC\DSCFromGPO.ps1
VERBOSE: Populating RepositorySourceLocation property for module GPRegistryPolicyDsc.
VERBOSE: Populating RepositorySourceLocation property for module AuditPolicyDsc.
VERBOSE: Populating RepositorySourceLocation property for module SecurityPolicyDsc.
Write-NodeMOFFile : Invalid MOF definition for node 'localhost': Exception calling "ValidateInstanceText" with "1"
argument(s): "Convert property 'Network_access_Restrict_clients_allowed_to_make_remote_calls_to_SAM' value from type
'STRING[]' to type 'INSTANCE[]' failed
 At line:2476, char:2
 Buffer:
ame = "DSCFromGPO";
};^
insta
"
At
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:2369
char:21
+ ...             Write-NodeMOFFile $Name $mofNode $Script:NodeInstanceAlia ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], InvalidOperationException
    + FullyQualifiedErrorId : InvalidMOFDefinition,Write-NodeMOFFile
Compilation errors occurred while processing configuration 'DSCFromGPO'. Please review the errors reported in error
stream and modify your configuration code appropriately.
At
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3917
char:5
+     throw $ErrorRecord
+     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (DSCFromGPO:String) [], InvalidOperationException
    + FullyQualifiedErrorId : FailToProcessConfiguration

These conversion tools are great, good work!
But why not provide the DSC Configurations by default, with pester tests?

REG_SZ key values can also be empty. Currently they are marked with a This MultiString Value has a value of $null comment and generate a The Write-DSCString command was called but the parameters block is missing a property name error.

• If a REG_SZ value is $null the comment This MultiString Value has a value of $null shouldn't be added, unless a $null string value has some special mening to some security policies in which case the comment should be be changed to include string as well.

• If a REG_MULTI_SZ or REG_SZ value is $null we shouldn't generate the The Write-DSCString command was called but the parameters block is missing a property name error.

effects line:

Undefined DSC resource 'cSecurityDescriptorSddl' Use Import-DSCResource to import the resource - Getting this error trying to convert a GPO backup, I do have the PowerShellAccessControlModule installed from the gallery and in my PSModules path -

PS C:\Windows\system32> get-module PowerShellAccessControl -ListAvailable
Directory: C:\Program Files\WindowsPowerShell\Modules
ModuleType Version Name ExportedCommands

Script 4.0.81.... PowerShellAccessControl {New-PacAccessMask, Get-Pac

PS C:\Windows\system32> get-dscresource -Module PowershellAccessControl
ImplementedAs Name ModuleName Version

PowerShell cAccessControlEntry PowerShellAccessControl 4.0.81..
PowerShell cSecurityDescriptor PowerShellAccessControl 4.0.81..
PowerShell cSecurityDescriptorSddl PowerShellAccessControl 4.0.81..

Verified the files in the module folder are not blocked

Any ideas ?
-thanks

I converted the Windows 11 Security baselines and after conversion,
some settings are "Disabled" by <# ... #> as comment.

For Example:

<#RegistryPolicyFile 'Registry(POL): HKCU:\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\NoToastApplicationNotificationOnLockScreen' { ValueName = 'NoToastApplicationNotificationOnLockScreen' ValueData = 1 ValueType = 'Dword' TargetType = 'ComputerConfiguration' Key = 'HKCU:\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications' }#>

<#Service 'Services(INF): XboxGipSvc' { Name = 'XboxGipSvc' State = 'Stopped' }#>

Would it be possible for the BaselineManagment module to combine multiple GPOs into one MOF file? I would like to be able to combine the multiple GPOs into one MOF file for import into DSCEA for scanning against a computer to see if it is in compliance.

An example of what I am trying to accomplish: Where I work we have a Windows 10 baseline with a further baseline based on region/department defined in GPO. It would be nice if all of the GPOs could be combined into one MOF file for use by DSCEA. To allow for the resolution engine to work properly, I'm thinking it should process the GPO baselines in reverse order of GPO application for a given OU - this would ensure that the last GPO would have its settings applied first and therefore be the setting to win out when multiple GPOs are involved (if i'm reading the conflict resolution engine correctly)

I did a little playing around with the current module and with some slight changes was able to get it to take in multiple GPOs and combine them into one MOF file using the conflict resolution engine to comment out conflicting entries for the same settings. It would take some refinement to get it to do the correct ordering of the GPO but I think it is something that would be feasible and worthwhile.

Thoughts?

If a condition if passed to Write-DSCString two empty if() statements are passed to the configuration script for each block.

You get a structure as follows:
if()
{

} if() {

}

It looks like the order of code used in Write-DSCString when a condition is passed is partially to blame as well as the code for the condition variable. THe one I encountered came from Internetsettings.ps1

$Condition = [scriptblock]"`$InternetExplorerVersion -eq $($XML.ParentNode.ParentNode.Name)"

If you run this you get a message that PS cannot convert a string to a script block. I managed to get around this by doing
$Condition = $executionContext.invokeCommand.NewScriptBlock("$InternetExplorerVersion -eq "$($XML.ParentNode.ParentNode.Name)`"")

The following code is applied successfully but with not result in a compliant state if additional groups are included in the user right assignment.

src/Parsers/ASC/UserRightsAssignment.ps1
if ([string]::IsNullOrEmpty($Accounts))
{
$policyHash.Force = $true;
}
$policyHash.Policy = $Privilege;
$policyHash.Identity = $Accounts

This will set the user rights as declared

$policyHash.Force = $true;
$policyHash.Policy = $Privilege;
$policyHash.Identity = $Accounts

Wouldn't it make sense to publish the already converted security baselines for proof reading and convenience in a repository ?
I would demand an alternative to the GPO based security baselines in an alternative format from Microsoft, but as there seems to be almost no movement to more modern solutions, trustworthy and public DSC "security" baselines, could be a reason for more users to try DSC as a new configuration method.

Import-Module : The given assembly name or codebase was invalid. (Exception from HRESULT: 0x80131047)
At line:1 char:1

• Import-Module BaselineManagement

•   + CategoryInfo          : NotSpecified: (:) [Import-Module], FileLoadException
    + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.ImportModuleCommand
  

I am unsure how many of these errors could be "new user error" on my part and are easy fixes, and how many of them could be related to something that you should be alerted to.

WARNING: ConvertFrom-GPO:PowerOptions XML file is not implemented yet.
WARNING: Write-DSCString: DSC Module (Printer) not found on System. Please re-run the conversion when the module is available.
WARNING: Write-GPOGroupsXMLData: Deleting all users or groups en masse is not supported

Apologies if this is just related to me not reading the manual first. :)

A use tool in the same vein as this for shops moving from GPOs to DSC would be a quick way to compare a MOF file to RSOP data to identify where conflicting settings still exist in the environment.