6

I am trying to use the GroupPolicy PowerShell module to manipulate and read local group policy settings on a standalone Windows 2012R2 server.

When I try to execute the Get-GPOReport cmdlet: 

Get-GPOReport -All -ReportType Xml

I get the following error:

Get-GPOReport : Current security context is not associated with an Active Directory domain or forest. At line:1 char:1
+ Get-GPOReport -ReportType Xml -all
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-GPOReport], ActiveDirectoryOperationException
+ FullyQualifiedErrorId : System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException,Microsoft.GroupPolicy.Commands.GetGpoReportCommand

I've also tried specifying my server name as well:

Get-GPOReport -ReportType Xml -all -server devserver01

But I get the same error.

I am logged in as Administrator on this server whilst running these commands. I also have the Group Policy Management Console installed which is a pre-requisite.

The error message:

Current security context is not associated with an Active Directory domain or forest.

Suggests I should be logged in as a Domain user, but as I mentioned this is a standalone server that is not part of an AD domain.

Is it not possible to use the GroupPolicy module cmdlets on a standalone server?

Kev
  • 7,877
  • 18
  • 81
  • 108
  • 1
    I'm confused. If there's no AD domain, then what Group Policies do you expect to interface with? What are you actually trying to accomplish? – techie007 May 09 '14 at 12:55
  • I want to read and change local group policy settings, i.e. settings configured via the `gpedit.msc` MMC snap-in. – Kev May 09 '14 at 12:57

2 Answers2

8

Group Policy may seem synonymous with Local Security Policy and often in IT we talk this way. Similar to saying Kleenex for any tissue.

Unfortunately, it's a little off. When Microsoft refers to Group Policy Objects they mean just that...a group setting or a setting that could be applied to a group of objects.

So when Technet refers to GPOs, they mean it in the context of a domain, and not a single local security policy.

So unfortunately, NO you won't be able to use the GPO cmdlets on a standalone server.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • So...back to `secedit` or registry hacking with procmon to see what gets changed when using `gpedit.msc` then? – Kev May 09 '14 at 13:01
  • 1
    Yeah `secedit` basically, and policy auditing. You could try something like: [Netwrix Change Notifier for Active Directory](http://www.netwrix.com/top_7_freeware_tools.html) but I've never used it, so I don't even know if it'll report properly on a LSP but it says it will. – TheCleaner May 09 '14 at 13:10
  • +1 Not to mention, without AD, you've no [Active Directory Web Services](http://blogs.msdn.com/b/adpowershell/archive/2009/04/06/active-directory-web-services-overview.aspx) for the Powershell cmdlets to talk to, so... – jscott May 09 '14 at 14:02
0

This isn't technically true - if you're running on a WORKGROUP machine or a machine on an untrusted domain you can run the tools using the runas /netonly command to provide the credentials.

You then need to supply both the -Server and -Domain parameters https://david-homer.blogspot.com/2023/08/activedirectory-powershell-error-get.html

David Homer
  • 111
  • 3