21

I have to set the local group policy settings and the the local security policy for a couple of machines which are not in a Windows domain. Until now, I've done that by manually setting the keys in gpedit. Due to the transition to Windows 10, I would like to automate that and use a batch or PowerShell script to set them. It would be very nice if this can be done without 3rd-party tools.

How can I set these policies using Powershell or a batch file?

Thank you for your answers in advance!

Peter

SamErde
  • 3,324
  • 3
  • 23
  • 42
P. Egli
  • 311
  • 1
  • 3
  • 4

3 Answers3

11

You can do it in PowerShell using Set-ItemProperty on the Registry provider; e.g. to disable Windows Update Access, you can run:

Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name DisableWindowsUpdateAccess -Value 1

(HKLM:\ being the standard alias for the "Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\" registry drive path.)

List of Group Policy registry keys can be downloaded from Microsoft at Download Group Policy Settings Reference for Windows and Windows Server | Microsoft Download Center

Pak
  • 901
  • 5
  • 10
  • 1
    Thank you very much! But by changing the Registry directly the policy will not enforce the actual registry value if changed due to any reason. So is there a possibility to set the Group Policy which then sets the registry accordingly? – P. Egli May 05 '17 at 18:32
  • You can run gpupdate to get the computer to reload the settings; in the same way as you would when loading the values directly in the registry via regedit. E.g. `gpupdate /force /target:computer` – Pak May 05 '17 at 21:55
  • 1
    I should add that the Group Policy Editor just reads and sets the registry values, so setting the registry settings has the same effect as setting the group policy. – Pak May 05 '17 at 22:05
  • 10
    Changing the registry manually isn't the same as setting a policy. When the corresponding registry value is set in gpedit and a user changes the entry gpupdate will enforce the set value at boot time. If I set a value fpr the machine policy in the registry using regedit, this does not lead to a correct entry in the policy. Therefore, if the value get's changed due to an arbitrary reason, gpupdate will not correct this setting. But that's what I am looking for. So, is there a possibility to setup the *.pol file using a batch script or a PowerShell script? – P. Egli May 07 '17 at 09:58
  • 6
    This does not set the Local Group Policy, as was asked. Registry settings are overwritten with the local policy (and group policy, if the machine is in a domain), so this answer does not yield the expected results. See [this answer](https://superuser.com/a/1192458/245038) – LCC Oct 21 '20 at 11:17
11

PolicyFileEditor is a PowerShell module to manage local GPO registry.pol files.

Brandon Padgett provides an example usage:

$RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'
$RegName = 'ScreenSaverIsSecure'
$RegData = '1'
$RegType = 'String'


Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType
Zoredache
  • 128,755
  • 40
  • 271
  • 413
Stajs
  • 211
  • 2
  • 3
2

There are several CmdLets that can be used to manipulate GPOs (Create, Get-Info, ...). You can easily list them by using

Get-Command -Module GroupPolicy

The most important ones:

New-GPO -Name "My Own GPO" -Comment "This is a new GPO for me"

New-GPO -Name "My Own GPO" | New-GPLink -Target "ou=clients,dc=ad,dc=contoso,dc=com"

Remove-GPLink -Name "My Own GPO" -Target "ou=clients,dc=ad,dc=contoso,dc=com"

Get-GPO -Name "My Own GPO"

Get-GPO -Name "My Own GPO" | Get-GPOReport -ReportType HTML -Path c:\temp\report.html

Set-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut -Type DWord -Value 300

Get-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"

Remove-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut

Invoke-GPUpdate -Computer "ad\server1" -Target "User"

Get-GPResultantSetOfPolicy -Computer dc1 -ReportType HTML -Path c:\temp\dc1rsop.html

This was just taken from here.

SamErde
  • 3,324
  • 3
  • 23
  • 42
Matthias Fleschütz
  • 29
  • 2