Windows Group Policy - Can I alter with VBscript?

Question

First of all I'm not an expert in either Windows or Group Policy scripting but one of my tasks is to configure XP machines which are destined to be NOT network. Consequently I've used VBScript to change Registry settings but now I have some settings in the Group Policy which I currently configure by hand but want to script these or automate it in someway.

Could anyone tell me if I can make changes to the Group Policy using VBscript or do I need to use something else?

I found this page which outlines some possibilities but there's not much detail and I can't yet find follow up articles.

** Additional Information **

Using gpedit.msc I currently manually set the following settings in the GUI:

Computer Configuration > Administrative Templates > System > Logon > Always wait for the network at computer startup and logon
Computer Configuration > Administrative Templates > System > Turn Off Autoplay
Computer Configuration > Windows Settings > Security Settings > User Rights Assignment > Access this computer from the network
Computer Configuration > Windows Settings > Security Settings > User Rights Assignment > Deny access to this computer from the network
Computer Configuration > Windows Settings > Security Settings > User Rights Assignment > Deny logon locally
Computer Configuration > Windows Settings > Security Settings > User Rights Assignment > Logon Locally
Computer Configuration > Windows Settings > Security Settings > Security Options > Network access: Shares that can be accesses from the network

I want to be able to script these changes using VBScript or some other means (.NET perhaps?)

I have found that for a couple of the above settings I can alter them directly in the registry but the changes are not seen in the Group Policy editor (gpedit.msc)

Your question needs to be clarified. What do you actually mean by `make changes to the Group Policy using VBscript`? — HopelessN00b, Oct 03 '12 at 17:28

score 1 · Accepted Answer · answered Oct 04 '12 at 11:12

1

It's possible, yes.

Not really advisable, because the supported and recommended way to do this is through the gpedit.msc tool (or GPOs on a domain). As a result, doing it with a script is semi-documented at best, and you do run into some oddities trying.

If you're still determined to try, theses settings are really just registry keys. If can figure out which keys are changed, it's trivial to script something up to import all those registry keys and end up with the desired configuration. I'd just use a batch file, honestly.

The problem you'll run into, however, is that these changes need to be saved to %SYSTEM ROOT%\System32\GroupPolicy\User\Registry.pol to be enforced as local group policy, and I don't know of a good scripted solution to that, so the common workaround is to set this up the way you want on a second machine, and copy the %SYSTEM ROOT%\System32\GroupPolicy\User folder and files to your target machines.

I personally find the whole thing to be such a pain that I'd rather set up a small domain than go through that process to apply automate applying local group policy.

answered Oct 04 '12 at 11:12

HopelessN00b

53,795
33
135
209

Thanks for your reply. I found that 'Registry.pol' file but it only contains one line (which I think refers to waiting for network at startup setting) but nothing, for example, about the Shares access from the network. Also the file was under the 'Machine' folder rather than 'User'. Note that some of the settings are under Windows Settings rather than Administrative Templates. Will that make a difference? – D-Dᴙum Oct 04 '12 at 12:17
1

@Kerubu Well, as far as my knowledge goes, that file should contain one line/entry per enforced GPO. So it is possible that it contains one line because you only have the one GPO enforced at the moment? Regarding the rest, I honestly couldn't say. What I posted has been how I've scripted local group policy in the past, when I needed to, and it's worked for me. I don't know if there's a better way, or a file I'm missing, or now that I think about it, if there's a separate `reistry.pol` for each "type" of GPO (user and machine, and maybe ADM) or what difference it would make. – HopelessN00b Oct 04 '12 at 12:33
I think I'll try copying the whole of the Group Policy folder as I found the .adm files you mentioned and they appear to contain alot more information that relates to the GPO. – D-Dᴙum Oct 04 '12 at 14:03

Oliver Sauder · Answer 2 · 2013-07-22T07:26:11.347

There is a tool called GPO Registry Editor which can edit/update the local group policy per command without overwriting all existing policies (big advantage to just copy and paste the Registry.pol). To use this tool first you can get the source code. GRE is written in AutoItScript. To create a executable you will need to compile it e.g. by using the AutoItScript editor.

You should now have a gre.exe which has the following command line options:

GPO Registry Editor provides read/write capabilities for registry policy files.

Usage:
-a  --add    Add the entry specified by the key, value, type, and data parameters.
-r  --remove Remove the entry specified by the key and value parameters.
-d  --data   Specifies the data of the registry entry.
-f  --file   Specifies the registry file to load or modify.
             Use `computer` or `user` to specify the system policy files.
-k  --key    Specifies the key of the registry entry.
-s  --silent Perform the operation silently (no GUI).
-t  --type   Specifies the type of the registry entry.     
-v  --value  Specifies the value of the registry entry.
-h  --help   Display this message.     
-?  --?      Display this message.

To figure out which keys resp. values are needed to set you can run gpedit.msc and set the settings you want to be set. As gpedit.msc applies the polices directly you can open regedit.exe and go to HKLM\SOFTWARE\Policies resp. HKCU\SOFTWARE\Policies to check which key has been set.

[EDIT] I have found a tool called Registry.pol Viewer Utility which can read a registry policy file (Registry.pol) which is located in %SYSTEMROOT%\System32\GroupPolicy\Machine resp. %SYSTEMROOT%\System32\GroupPolicy\User. It shows you which keys and values with its data have been applied to the group policy. Such can then easily be used with gre. [/EDIT]

For example for policy Computer Configuration > Administrative Templates > System > Logon > Always wait for the network at computer startup and logon following gre command can be used:

gre --add -s -f=computer -k="Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -v="SyncForegroundPolicy" -t REG_DWORD -d="1"

Several gre commands can then be added to a batch script and adding following command to apply the updated group policy:

gpupdate /force

Such script can be easily started on a target computer to apply needed policies. Or it can also be used by your deployment tool of choice such as WPKG.

Windows Group Policy - Can I alter with VBscript?

2 Answers2