Solved

How Do I Change Local Policy Settings via a batch file or script file?

Posted on 2004-09-10
9
3,253 Views
Last Modified: 2012-06-21
I have a mix of Win9x, 2000, and XP Pro machines on our NT Network. I have set local computer policies by: (in Win9x, using Policy Editor; in W2K & XP, using the MMC).

This is a rather tedious process that I have to go through whenever I need to access the machine to do a task.

Is there a way, via a batch file or script, that I can run that will release all the polices on the local computer so that now there aren't any policies, make my changes, then reapply the policies back after I am done?

For example, a policy is set to remove the "Run" command from the start menu.

On a Win9x computer, use Policy Editor on the Local Computer\Windows 98 System\Shell\Restrictions\Remove "Run" Command is checked. On the W2K/XP computer, you would navigate to Local Computer Policy\Admistrative Template\Start Menu & Taskbar\Desktop and "Enable" - Remove Rum Command from Start Menu.

Any help would be appreciative.

Thanks in advance.
0
Comment
Question by:mperez1216
  • 4
  • 4
9 Comments
 
LVL 17

Expert Comment

by:Jared Luker
ID: 12035679
Almost every setting in policy's are simply easy ways to tweak registrys.  If you could find out what keys get modified by that particular policy, then you could batch or script a way to change those settings, log out, back in, change what you want, and then reboot so that the policy would take hold again.

For example to disable the run line (from http://silverstr.ufies.org/blog/archives/000257.html)


Remove Run from the Start Menu

UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoRun
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

The policy's make things easy, but things can be controlled this way as well.

Personally, I'd lose the 98 machines! : )

Good luck,

Jared
0
 

Author Comment

by:mperez1216
ID: 12075194
But, how would you make these changes via a batch file. Do you use the regedit command with a parameter switch?

Or would it be easier to create a vb script to make the change. I have some familiarity with creating a batch file, but no familiarity with creating a vb script.

Is there a link that you can provide besides the one you mentioned. It appeared that the link provided a way to make changes via the registry editor, not a batch or script.

As you said, I want to be able to open a command prompt, run the batch to unlock the pc, do what I need to do, run the batch again to relock the pc, and walk away.
0
 
LVL 4

Expert Comment

by:LittleRed1
ID: 12120355
I prefer to use REGINI to do this.

You would need to create a file with the settings you want and then use REGINI in the logon script to import the settings.

Keep in mind that the settings will only take effect at the next logon. If you want to get around this, you will have to find a way of running it before Explorer loads. This is easy on Terminal server but I'm not sure about normal workstations.
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 12122193
If you are not familiar with vb script, then you can use regedit /s with the above information to silently import the reg file to the machine via login scripts.

Jared
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:mperez1216
ID: 12359748
Sorry for delay in getting back to you (all). I used the example quoted by jared and created two files; one to do the change and one to reset it back and it seemed to work.

But then I came across the following: Are the registry entries the same for both 2000 pro and XP pro? And what about a system that was upgraded to XP Pro?

Is there somewhere where I can find the registry entries to all the settings found in MMC/Local Computer Policy/Administrative Templates/all of the subfolders that I can copy into a reg file?

These are the items that I am interested in controlling. Nothing else.

Dumb question: If I used the MMC to "lock" down a pc and save the file to "Console1" (which is the default file name), can I take this file to another pc running the same os and apply the settings just by opening and closing the file?
0
 

Author Comment

by:mperez1216
ID: 12786611
Still waiting for reply to my posting from October ( I know it's December now. Halloween and Thanksgiving were hectic).

But I am genuinely interested in being able to open a script on any machine that will "unlock or open" the machine to me (as admin), do what I have to do, then run the script again to "lockdown or close" the machine to what it was prior to me touching it.

If there is a site that can point me to ALL the settings found in the MMC, that would be great. I can enter all the registry entries in a reg file and when I need to "unlock" the pc, I can just run this. Another reg file "locks" it back up.
0
 

Author Comment

by:mperez1216
ID: 12786625
Point value increased
0
 
LVL 17

Accepted Solution

by:
Jared Luker earned 200 total points
ID: 12787212
You can save those settings to a security template (saved as an .inf file).  You can then go to each machine and import that .inf into the local security policy editor.

Here is how to export your security policies:

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_lqvj.asp

To answer your question about the regisry in 2000 and XP, they are MOSTLY the same.  The best way to find out what you are chaning in the regisry is to go and get a utility called Install Watch Pro (www.epsilonsquared.com).  Install watch is free.

Take a snapshot of your system and then make a change and then rescan and it will tell you what registry changes had been made.

Jared
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 13320828
thx.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Occasionally Windows/Microsoft Updates will fail to update. We have found a code that will delete all temporary files and re-register all dll's related to Windows/Microsoft Updates! This works 99% of the time to get the updates working again! The…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now