0

I'm trying to make it easy to add a LogOff script to Group Policy and am having difficulty finding any information on adding Group Policy via script.

I already have the script I want to run at Logoff, I know how to run scripts via Group Policy. I want to know if Group Policy itself can be managed by script.

I do not have access to modify group policy for the domain or even for my OU, however, I can add entries to the local computer policy.

I've tried isolating registry entries created and changed when adding a Group Policy script, but quickly found this to be prohibitive in its difficulty and complexity. Maybe I read the comparison wrong, but there seemed to be quite a bit changed in just one Group Policy change.

So I've fallen back to scripting. Using either VBScript or Batch, can I add an entry to Local Computer Policy\User Configuration\Scripts\Logoff using a script?

UPDATE: Any tips on how to better isolate registry changes made during GP change would be appreciated if this the only (or best) way to go.

music2myear
  • 1,893
  • 3
  • 26
  • 51
  • As I mentioned in the question, I do not have access to modify domain group policy, but I do have access to modify local computer policy. Organizational structure makes it difficult to petition those who do have domain GP control to make changes and so we want to have a test-bed that shows our changes work and do not cause adverse issues. For these and other reasons it is advisable that we run any changes locally for a while. I'm simply looking for an easier way to apply the changes. – music2myear Jul 21 '11 at 16:56

2 Answers2

3

There is no API that I'm aware of to make automated changes to the local Group Policy Object on Windows XP (called "Local Group Policy" in newer versions of Windows).

I've had some success manually copying the contents of the %SystemRoot%\System32\GroupPolicy folder between machines. As long as you don't have machine-specific entries there (referencing the machine SID) this should be possible. That won't be in any way "supported" by Microsoft, though, and if it breaks you get to keep the pieces.

Here's an example of a script that modifies local group policy that you might want to look at, too. It's not using any "supported" APIs-- it's just banging on the GPT.INI file. This may work but is definitely "unsupported", too.

Based on your comment to @Zoredache I think you're better off manually doing this to a few computers rather than trying to script it to a bunch of computers. You're going to end up making the person or department who handles Domain Group Policy very unhappy if they have to undo a bunch of local changes on client computers (which are just as difficult to undo as they are to make in the first place).

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Thanks, those directions look promising. There is no machine-specific info in the script that is running. Regarding unhappy admins, I essentially run IT for a branch office, having inherited it from my manager when I was hired. We have discretion regarding policies so long as they do not interfere with existing, and this policy we're rolling out is a relatively simple security escalation involving emptying user temporary folders on logoff. – music2myear Jul 21 '11 at 17:20
  • I agree with doing it the manual correct way by using the built in tools with local group policy. Hacking it might make this a lot harder in the long run to undo as well as disprove what you're trying to do in your test bed. A test bed should be done the correct way to begin with to make sure your testing is accurate. – Nixphoe Jul 21 '11 at 17:24
  • Ok, copying scripts.ini and the desired script into the appropriate locations on a clean machine appears to have added the appropriate settings. This I can script. Because there are no existing Logoff scripts assigned via GP, it will not be an issue doing this. Thank you for the assistance. – music2myear Jul 21 '11 at 17:40
1

I am the person who wrote the script referenced in you answer and just wanted to clarify that although it was suggested that it's unsupported, and "just banging on the GPT.INI file", it does exactly what a manual change does. You can prove this by simply making the change manually, and tracking through what it does. There are also a lot of notes in the script from the research I did at the time.

Alternatively, look at deploying the "LocalGPO" command line tool that comes with the new Microsoft Security Compliance Manager v2: http://blogs.technet.com/b/secguide/archive/2011/06/27/scm-v2-beta-new-baselines-available-to-download.aspx http://www.grouppolicy.biz/2011/03/introducing-microsoft-security-compliance-manager-v2/

Hope that helps.

Cheers, Jeremy.

Jeremy Saunders
  • 11
  • 1