Change group policy settings for accounts?

Question

I am wondering if there is a way to change the group policy settings for accounts without using the GUI tools (GPMC or the GPO editor MMC snap in). In other words can I can change these settings via a registry change or by using a tool like PowerShell? The idea is to automate this so it can be applied to a number of servers quickly without having to fire up a GUI.

The key values I am interested in is:

Log on locally
Log on as a service

Can you state the question a little more clearly? Are you referring to the GPMC GUI? Are you attempting to modify one of more GPOs using PowerShell, or are you attempting to modify the settings controlled by the GPO/s without actually touching the GPO/s themselves? — ThatGraemeGuy, Jun 06 '09 at 19:01
@Graeme I have rephrased it, let me know if that is much better? — Robert MacLean, Jun 08 '09 at 08:06

score 3 · Accepted Answer · answered Jun 08 '09 at 18:23

SECEDIT is your friend for what you're trying to do. Have a look at the help for the tool. Basically, you're going to want to build a template containing the settings you're looking for. Then, you'll apply that template to computers on which you'd like those settings changed.

Open an empty Microsoft Management Console. Add a "Security Templates" snap-in with File / Add/Remove Snap-in.
Open the "Security Templates" node and the next node underneath (normally "C:\WINDOWS\security\templates").
Right-click the "C:\WINDOWS\security\templates" node and choose "New Template". Name the new template and set the description as you desire.
Expand the new template. Set the various settings as you'd like.

The security policy you created is stored in the "C:\WINDOWS\security\templates" directory by default, named with whatever name you chose and a ".INF" extension. Copy this file to a machine where you want to apply the settings.

On the machine where the settings are to be applied, run the following command from the directory where your ".INF" security template file is located:

SECEDIT /configure /db secedit.sdb /cfg <path and filename of INF file>

This will apply the security template to the local security database. You can verify the "before and after" by examining the local security policy. (Be sure and close / re-open the local security policy management tool between applications of the INF file, because, AFAIK, these tools don't dynamically refresh themselves.)

brilliant - this is what I've been looking for! – Robert MacLean Jun 09 '09 at 08:17 — Robert MacLean, Jun 09 '09 at 08:17

score 1 · Answer 2 · 2010-02-20T08:04:13.993

1

You can find a list of all the registry keys used by Group Policy here:

http://go.microsoft.com/fwlink/?LinkID=54020

Be aware that some GPOs do not use registry keys.

Also, if you have servers that you need to set policies on - why not use GPOs??? Much easier to manage - you can change policies and push from one computer with one GUI.

edited Feb 20 '10 at 08:04

answered Jun 08 '09 at 23:53

I agree that GPO would be the best, but the reason to not use GPO's is that these machines are not on a common infrastructure, so there is no central place to push them out from. – Robert MacLean Jun 09 '09 at 07:55
The link does not seem to be valid anymore – Paul de Vrieze Feb 17 '10 at 21:14
You're right - I updated the link. – Feb 20 '10 at 08:03

score 0 · Answer 3 · answered Jun 06 '09 at 18:57

0

You could try to figure out where in the registry those specific policy settings are stored, and then manipulate them in a script using reg.exe. Keep in mind, though, that Group Policy will override your settings at each refresh.

I am not aware of any command-line based GPO editing tools, if that is what you mean.

answered Jun 06 '09 at 18:57

Jay Michaud

3,947
4
21
36

I tried to export the registry via regedit, then make the change, then do another export and use WinMerge to compare but with no luck – Robert MacLean Jun 08 '09 at 07:57

Change group policy settings for accounts?

3 Answers3