How Do I Change Local Policy Settings via a batch file or script file?

I have a mix of Win9x, 2000, and XP Pro machines on our NT Network. I have set local computer policies by: (in Win9x, using Policy Editor; in W2K & XP, using the MMC).

This is a rather tedious process that I have to go through whenever I need to access the machine to do a task.

Is there a way, via a batch file or script, that I can run that will release all the polices on the local computer so that now there aren't any policies, make my changes, then reapply the policies back after I am done?

For example, a policy is set to remove the "Run" command from the start menu.

On a Win9x computer, use Policy Editor on the Local Computer\Windows 98 System\Shell\Restrictions\Remove "Run" Command is checked. On the W2K/XP computer, you would navigate to Local Computer Policy\Admistrative Template\Start Menu & Taskbar\Desktop and "Enable" - Remove Rum Command from Start Menu.

Any help would be appreciative.

Thanks in advance.
mperez1216Asked:
Who is Participating?
 
Jared LukerConnect With a Mentor Commented:
You can save those settings to a security template (saved as an .inf file).  You can then go to each machine and import that .inf into the local security policy editor.

Here is how to export your security policies:

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_lqvj.asp

To answer your question about the regisry in 2000 and XP, they are MOSTLY the same.  The best way to find out what you are chaning in the regisry is to go and get a utility called Install Watch Pro (www.epsilonsquared.com).  Install watch is free.

Take a snapshot of your system and then make a change and then rescan and it will tell you what registry changes had been made.

Jared
0
 
Jared LukerCommented:
Almost every setting in policy's are simply easy ways to tweak registrys.  If you could find out what keys get modified by that particular policy, then you could batch or script a way to change those settings, log out, back in, change what you want, and then reboot so that the policy would take hold again.

For example to disable the run line (from http://silverstr.ufies.org/blog/archives/000257.html)


Remove Run from the Start Menu

UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoRun
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

The policy's make things easy, but things can be controlled this way as well.

Personally, I'd lose the 98 machines! : )

Good luck,

Jared
0
 
mperez1216Author Commented:
But, how would you make these changes via a batch file. Do you use the regedit command with a parameter switch?

Or would it be easier to create a vb script to make the change. I have some familiarity with creating a batch file, but no familiarity with creating a vb script.

Is there a link that you can provide besides the one you mentioned. It appeared that the link provided a way to make changes via the registry editor, not a batch or script.

As you said, I want to be able to open a command prompt, run the batch to unlock the pc, do what I need to do, run the batch again to relock the pc, and walk away.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LittleRed1Commented:
I prefer to use REGINI to do this.

You would need to create a file with the settings you want and then use REGINI in the logon script to import the settings.

Keep in mind that the settings will only take effect at the next logon. If you want to get around this, you will have to find a way of running it before Explorer loads. This is easy on Terminal server but I'm not sure about normal workstations.
0
 
Jared LukerCommented:
If you are not familiar with vb script, then you can use regedit /s with the above information to silently import the reg file to the machine via login scripts.

Jared
0
 
mperez1216Author Commented:
Sorry for delay in getting back to you (all). I used the example quoted by jared and created two files; one to do the change and one to reset it back and it seemed to work.

But then I came across the following: Are the registry entries the same for both 2000 pro and XP pro? And what about a system that was upgraded to XP Pro?

Is there somewhere where I can find the registry entries to all the settings found in MMC/Local Computer Policy/Administrative Templates/all of the subfolders that I can copy into a reg file?

These are the items that I am interested in controlling. Nothing else.

Dumb question: If I used the MMC to "lock" down a pc and save the file to "Console1" (which is the default file name), can I take this file to another pc running the same os and apply the settings just by opening and closing the file?
0
 
mperez1216Author Commented:
Still waiting for reply to my posting from October ( I know it's December now. Halloween and Thanksgiving were hectic).

But I am genuinely interested in being able to open a script on any machine that will "unlock or open" the machine to me (as admin), do what I have to do, then run the script again to "lockdown or close" the machine to what it was prior to me touching it.

If there is a site that can point me to ALL the settings found in the MMC, that would be great. I can enter all the registry entries in a reg file and when I need to "unlock" the pc, I can just run this. Another reg file "locks" it back up.
0
 
mperez1216Author Commented:
Point value increased
0
 
Jared LukerCommented:
thx.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.