24

I have to set the local group policy settings and the the local security policy for a couple of machines which are not in a Windows domain. Until now, I've done that by manually setting the keys in gpedit. Due to the transition to Windows 10, I would like to automate that and use a batch or PowerShell script to set them. It would be very nice if this can be done without 3rd-party tools.

How can I set these policies using Powershell or a batch file?

Thank you for your answers in advance!

Peter

SamErde
  • 3,409
  • 3
  • 24
  • 44
P. Egli
  • 341
  • 1
  • 3
  • 4

4 Answers4

13

PolicyFileEditor is a PowerShell module to manage local GPO registry.pol files.

Brandon Padgett provides an example usage:

$RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'
$RegName = 'ScreenSaverIsSecure'
$RegData = '1'
$RegType = 'String'


Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType
Zoredache
  • 130,897
  • 41
  • 276
  • 420
Stajs
  • 231
  • 2
  • 3
10

You can do it in PowerShell using Set-ItemProperty on the Registry provider; e.g. to disable Windows Update Access, you can run:

Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name DisableWindowsUpdateAccess -Value 1

(HKLM:\ being the standard alias for the "Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\" registry drive path.)

List of Group Policy registry keys can be downloaded from Microsoft at Download Group Policy Settings Reference for Windows and Windows Server | Microsoft Download Center

Pak
  • 919
  • 5
  • 10
  • 2
    Thank you very much! But by changing the Registry directly the policy will not enforce the actual registry value if changed due to any reason. So is there a possibility to set the Group Policy which then sets the registry accordingly? – P. Egli May 05 '17 at 18:32
  • You can run gpupdate to get the computer to reload the settings; in the same way as you would when loading the values directly in the registry via regedit. E.g. `gpupdate /force /target:computer` – Pak May 05 '17 at 21:55
  • 1
    I should add that the Group Policy Editor just reads and sets the registry values, so setting the registry settings has the same effect as setting the group policy. – Pak May 05 '17 at 22:05
  • 12
    Changing the registry manually isn't the same as setting a policy. When the corresponding registry value is set in gpedit and a user changes the entry gpupdate will enforce the set value at boot time. If I set a value fpr the machine policy in the registry using regedit, this does not lead to a correct entry in the policy. Therefore, if the value get's changed due to an arbitrary reason, gpupdate will not correct this setting. But that's what I am looking for. So, is there a possibility to setup the *.pol file using a batch script or a PowerShell script? – P. Egli May 07 '17 at 09:58
  • 7
    This does not set the Local Group Policy, as was asked. Registry settings are overwritten with the local policy (and group policy, if the machine is in a domain), so this answer does not yield the expected results. See [this answer](https://superuser.com/a/1192458/245038) – LCC Oct 21 '20 at 11:17
2

There are several CmdLets that can be used to manipulate GPOs (Create, Get-Info, ...). You can easily list them by using

Get-Command -Module GroupPolicy

The most important ones:

New-GPO -Name "My Own GPO" -Comment "This is a new GPO for me"

New-GPO -Name "My Own GPO" | New-GPLink -Target "ou=clients,dc=ad,dc=contoso,dc=com"

Remove-GPLink -Name "My Own GPO" -Target "ou=clients,dc=ad,dc=contoso,dc=com"

Get-GPO -Name "My Own GPO"

Get-GPO -Name "My Own GPO" | Get-GPOReport -ReportType HTML -Path c:\temp\report.html

Set-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut -Type DWord -Value 300

Get-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"

Remove-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut

Invoke-GPUpdate -Computer "ad\server1" -Target "User"

Get-GPResultantSetOfPolicy -Computer dc1 -ReportType HTML -Path c:\temp\dc1rsop.html

This was just taken from here.

SamErde
  • 3,409
  • 3
  • 24
  • 44
Matthias Fleschütz
  • 29
  • 2
  • 5
    Requires _Group Policy Management Console_, _Remote Server Administration Tools_ must be installed first (on Windows 10 available with Pro or Enterprise editions) – escalator Apr 22 '20 at 13:31
  • @escalator You can install it using `add-windowsfeature gpmc` – Dragas Dec 15 '21 at 09:14
  • Seems like it needs a domain controller? – SamB Mar 18 '22 at 17:26
  • 1
    This answer applies to group policies in an active directory. The question is about machines that are not in a windows domain. – Dr Phil May 13 '23 at 20:03
0

Great script from Microsoft that goes into more detail on editing registry property values via Powershell using the Set-ItemProperty and other cmdlets. As has been stated, this doesn't appear to update the local policy editor's GUI so you'd probably want to use the PolicyFileEditor if that's an issue for you. I have to do this on remote machines using a 3rd party MDM and I want to eliminate as many dependancies as possible so I'm just sticking with out of the box commands. Hope this helps piece all of this together for others.

Because my users have the ability to change settings as local admins, I'm also just going to re-run this script each day. Unfortunately gpupdate /force /target:computer doesn't seem to update the settings for me (I'm changing screen lock out time) so the machines will have to reboot for the changes to take effect.

Matthew Wetmore
  • 1,633
  • 12
  • 21
Purge0
  • 1
  • 2