We help IT Professionals succeed at work.

Enforce Group Policy on multiple computers without Active Directory or Server

boiseitllc
boiseitllc used Ask the Experts™
on
I have a group of 10 computers on a Peer to Peer network, I want to force some policies (mainly internet explorer, network connectivity and desktop appearance) to these computers.  I know that I can do it one by one without any problem by editing the group policy individually on each computer, what i would like to do, however, is have the group policy in tact (or registry settings) and just hit each computer quickly and force the policy.  Can a canned policy that I put on one computer be quickly replicated on each of the other machines without having to manually open the computer's group policy editor and manually changing every setting?  I understand that I would need to touch every machine to apply it, but just want an easier solution.

In a perfect world, I would have a file on at flash drive, apply that file to the machine and all the policies would take effect.

Reminder: I am not on a windows domain, just a Peer to Peer network.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011
Top Expert 2011

Commented:
You can export the needed settings to a simple login script, that will enforce them on logon. But a savvy user will be able to use regedit to reverse anything there..... Even a Non Admin in some cases.....

Do you know which reg settings need to be applied?

Author

Commented:
I'm not all that worried about savy users here, just want the settings applied and locked.

Settings I am wanting to apply are as follows...

Set Desktop Wallpaper to a specific file.
Set Home Page in IE
Turn off ability to do the following...
   Delete Browsing History and Change Browsing History Settings
   Delete Browsing History on Exit
   Set IE Home Page
   Set or Change Proxy
   Add 4 URL's to Favorites Bar
Most Valuable Expert 2011
Top Expert 2011
Commented:
Ok... Keep in mind, there is no locking in GPO if the user's are a local Admin... Based on your comment above, I dont think thats gonna be a problem.....
rem Wallpaper
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /d "path to wallpaper.jpg" /f
REM sets home page in IE
reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v “Start Page” /d ”http://www.yoursite.com/” /f

REM Disable the General Tab ENTIRELY, or use the ones below for Cache/History
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "GeneralTab" /t reg_dword /d "0x1" /f

REM Disable the Temp Internet Files button/setting
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "Cache" /t reg_dword /d "0x1" /f
REM Disable the History button
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "History" /t reg_dword /d "0x1" /f

REM Disable the Home Page button
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t reg_dword /d "0x1" /f
REM Disable the Proxy button
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "Proxy" /t reg_dword /d "0x1" /f

REM Empty TIF when the browser is closed (1=do not empty, 0=empty)
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" /v "Persistent" /t reg_dword /d "0x0" /f

Open in new window

Most Valuable Expert 2011
Top Expert 2011

Commented:
Now you could also use HKLM settings if the following is in place.... (for the IE policies)

Then a non admin cant change them.....
 

REM 0 is user settings, 1 is MACHINE settings
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "Security_HKLM_only" /t reg_dword /d "0x1" /f

Open in new window

Most Valuable Expert 2011
Top Expert 2011

Commented:
Oh, and the Favorites Bar, just needs .URL shortcuts copied to them here....

%userprofile%\Favorites\Links

Author

Commented:
So all I need to do is save this information as a .reg file and make the necessary changes and then apply it to the machine (s) right?
Most Valuable Expert 2011
Top Expert 2011

Commented:
Sorry, no... .BAT file.....

Please test this to make sure you get the desired effects before deploying to the other systems though......


Author

Commented:
Ok.... We're close....

Changed the wallpaper but did not lock it.

Disabled the ability to lock the browsing history but did not turn off the browsing history manual delete section.

Did not change the home page or lock ability to change it


Thoughts?
Most Valuable Expert 2011
Top Expert 2011

Commented:
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies" /v "NoDispBackgroundPage" /t reg_dword /d "0x1" /f

Hides the Desktop Tab... Will that work?

BRB with the others....
Most Valuable Expert 2011
Top Expert 2011

Commented:
Hides the General Tab in IE Options....

reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "GeneralTab" /t reg_dword /d "0x1" /f

Most Valuable Expert 2011
Top Expert 2011

Commented:
Still interested..... Will suggest accepted comments if no response by next CV checkin....