How to edit local group policy objects via command line?

Is there a way to change or edit certain group policies via command line?

We are currently installing a lot of PCs based on an image. After the install is done, certain group policies need to be changed, which we have to do manually at this point.

I Would like to add these changes in a script so I can create a script per department to enforce these group policies.

For example: Set "Computer Configuration / Management Templates / Configuration Panel / Online Tooltips" to "disabled" via a script.

Thanks!

Joe

Posted 2019-01-23T15:24:15.213

Reputation: 49

Take a look at this other question. It might address your need. https://superuser.com/questions/365699/change-group-policy-using-windows-cmd

– Doug Deden – 2019-01-23T15:27:36.070

Why aren't you deploying group policies via Active Directory? – user1686 – 2019-01-23T15:31:13.573

1Thanks for all suggestions! @grawity: We are deploying group policies via Active Directory, but some policies are only needed temporarily during installation. – Joe – 2019-01-24T10:12:50.563

@Joe: Then I'd still stick with AD GPO but e.g. use security filtering so that it only applies to computers within a specific group. – user1686 – 2019-01-24T12:07:36.793

@grawity: I don't know what you mean. I meant that there are policies which we need to enable, only to disable them half an hour later on. Surely using AD for such a situation would be less convenient than running a script with an enable/disable in it? – Joe – 2019-01-25T13:04:09.620

Answers

Since the Group Policy settings are stored in the Registry, the easiest method to create department-wide configurations might be through a .reg file,

Microsoft maintains a list of the Group Policy Registry keys. For example, line 188 shows HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!AllowOnlineTips controls online tooltips.

Rather than synthesizing the .reg script from scratch, you could "reverse engineer" such a script by taking a snapshot of the Registry of a freshly created clone, applying appropriate changes through the Group Policy Editor, and then diffing that snapshot with a new one. An excellent tool for this purpose is Nirsoft's RegistryChangesView, which can "export the Registry changes into a standard .reg file".

Of course, if you're running a batch script anyway, just add a line to it:

regedit.exe /s "full path to your .reg file"

You can also import .reg files through the GPE using PowerShell.

DrMoishe Pippik

Posted 2019-01-23T15:24:15.213

Reputation: 13 291

I would not recommend to rely on registry changes when I want to achieve a policy. A policy isn't always a registry entry and vice versa... Especially when it comes to the processing order there are differences as well as the stage of implementation (image, pre- / post-sysprep) depending on the hive (if the policy sets a registry value).

From personal experience I would prefer to set and apply a GPO rather than editing reg values manually. We hat the issue that reg settings were not finding there way back to the policy and policy settings were overriding the reg value.

Some nice way are PS cmdlets very well explained here: https://www.powershellmagazine.com/2012/05/14/managing-group-policy-with-powershell/

Matthias Fleschütz

Posted 2019-01-23T15:24:15.213

Reputation: 11

Yes, it is possible by a powershell script, I find out here a descriptive way to manage Local Policy with powershell.

If I can suggest you another approach why do not edit the image and deploy the image with the configuration you likes?

If you cannot edit the image because a third party provide it to you, you can restore it in a computer, perform your personalisation and create an image to restore on other computers with opensource tools like clonezilla.

AtomiX84

Posted 2019-01-23T15:24:15.213

Reputation: 637

Some policies are stored in C:\Windows\System32\GroupPolicy in CSV format.

Audit policies can be set via auditpol command.

George Sovetov

Posted 2019-01-23T15:24:15.213

Reputation: 157