?
Solved

Script changes to Local Group Policy

Posted on 2011-09-28
10
Medium Priority
?
606 Views
Last Modified: 2012-08-13
I need to rollout changes to a non-domain network which will update each local group policy with a variety of changes.

I figure the most efficient way to do this might be to somehow script the changes, then add the script to Startup folder (or something similar), but am trying to work out how to script?

Windows XP Pro 32bit.

I have seen http://www.msfn.org/board/topic/22802-tools-for-scripting-changes-to-local-group-policy/ but unable to find snapreg.exe anywhere.
0
Comment
Question by:Flipp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 65

Expert Comment

by:RobSampson
ID: 36722765
Hi, you will need to use SecEdit to apply a modified policy template.  See here:
http://www.appdeploy.com/tips/detail.asp?id=23

Regards,

Rob.
0
 
LVL 6

Author Comment

by:Flipp
ID: 36794213
Thanks Rob.

I see some of the settings from Local Computer Policy, but what about settings listed under Administrative Templates? (e.g. Windows Updates, Windows Firewall)

How would I automate deployment of these settings?
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36812707
For Windows Updates, I think you'll need to add registry settings to your new template to cover the settings, as shown here:
http://support.microsoft.com/kb/328010

You would need to do a similar thing with the Windows Firewall I think:
http://technet.microsoft.com/en-us/library/bb490624.aspx

The local policies aren't designed to be modified automatically, really, so you'll need to do some research into the keys you need to set.

You could look through the .adm template to find the registry keys.

Regards,

Rob.

Rob.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 6

Author Comment

by:Flipp
ID: 36812720
Strangely enough I did set WU via GPMC then changed via registry but this change did not reflect back in GPMC. is this expected? Do I need to run some type of 'Update' script to apply regedit change into GPMC?
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36813016
I have seen registry edits not reflect in GPMC.  The best check would be to check the Windows Automatic Updates GUI for the change, and run
gpupdate /force

as well, and see if the change is still in effect via the registry.

Rob.
0
 
LVL 6

Author Comment

by:Flipp
ID: 36913760
Thanks Rob - I will re-test this over the next week while I complete some imaging post-deployment tasks.
0
 
LVL 6

Author Comment

by:Flipp
ID: 36914055
OK, so I have tested this just now and after modifying registry for AU GP does not change but Automatic Update UI does change. Even after restart and gpupdate /force.

Registry and UI remains in tact.

Is this expected behaviour or is something not right - just need to clear up before signing off on image for all machines.
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 1000 total points
ID: 36914636
As far as I know, this is by design (or maybe a bug, depending on how you look at it).  If you look at the same policy in GPEdit.msc, and it is "Not Configured", then you can make whatever you change you want to its corresponding registry key, and it will stay that way.  On the other hand, whatever the Policy has as defined, whether that's Enabled, Disabled, or configured to the something else, then it will "reset" the registry change you made at the next Group Policy update.

So, if you want to script it, you have to leave it as Not Configured.

For configured settings, the settings get stored in
C:\Windows\system32\grouppolicy\user\registry.pol
or
C:\Windows\system32\grouppolicy\machine\registry.pol

I guess if you wanted the GP to update the GUI, then you could have a crack at modifying the .pol file, but it looks oddly encoded.

Regards,

Rob.
0
 
LVL 6

Author Closing Comment

by:Flipp
ID: 36914651
CHeers Rob - I really appreciate your persistence and care to detail on this one.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36914679
No problem. Thanks for the grade.

Rob.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question