Solved

Script changes to Local Group Policy

Posted on 2011-09-28
10
604 Views
Last Modified: 2012-08-13
I need to rollout changes to a non-domain network which will update each local group policy with a variety of changes.

I figure the most efficient way to do this might be to somehow script the changes, then add the script to Startup folder (or something similar), but am trying to work out how to script?

Windows XP Pro 32bit.

I have seen http://www.msfn.org/board/topic/22802-tools-for-scripting-changes-to-local-group-policy/ but unable to find snapreg.exe anywhere.
0
Comment
Question by:Flipp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 65

Expert Comment

by:RobSampson
ID: 36722765
Hi, you will need to use SecEdit to apply a modified policy template.  See here:
http://www.appdeploy.com/tips/detail.asp?id=23

Regards,

Rob.
0
 
LVL 6

Author Comment

by:Flipp
ID: 36794213
Thanks Rob.

I see some of the settings from Local Computer Policy, but what about settings listed under Administrative Templates? (e.g. Windows Updates, Windows Firewall)

How would I automate deployment of these settings?
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36812707
For Windows Updates, I think you'll need to add registry settings to your new template to cover the settings, as shown here:
http://support.microsoft.com/kb/328010

You would need to do a similar thing with the Windows Firewall I think:
http://technet.microsoft.com/en-us/library/bb490624.aspx

The local policies aren't designed to be modified automatically, really, so you'll need to do some research into the keys you need to set.

You could look through the .adm template to find the registry keys.

Regards,

Rob.

Rob.
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 6

Author Comment

by:Flipp
ID: 36812720
Strangely enough I did set WU via GPMC then changed via registry but this change did not reflect back in GPMC. is this expected? Do I need to run some type of 'Update' script to apply regedit change into GPMC?
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36813016
I have seen registry edits not reflect in GPMC.  The best check would be to check the Windows Automatic Updates GUI for the change, and run
gpupdate /force

as well, and see if the change is still in effect via the registry.

Rob.
0
 
LVL 6

Author Comment

by:Flipp
ID: 36913760
Thanks Rob - I will re-test this over the next week while I complete some imaging post-deployment tasks.
0
 
LVL 6

Author Comment

by:Flipp
ID: 36914055
OK, so I have tested this just now and after modifying registry for AU GP does not change but Automatic Update UI does change. Even after restart and gpupdate /force.

Registry and UI remains in tact.

Is this expected behaviour or is something not right - just need to clear up before signing off on image for all machines.
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 250 total points
ID: 36914636
As far as I know, this is by design (or maybe a bug, depending on how you look at it).  If you look at the same policy in GPEdit.msc, and it is "Not Configured", then you can make whatever you change you want to its corresponding registry key, and it will stay that way.  On the other hand, whatever the Policy has as defined, whether that's Enabled, Disabled, or configured to the something else, then it will "reset" the registry change you made at the next Group Policy update.

So, if you want to script it, you have to leave it as Not Configured.

For configured settings, the settings get stored in
C:\Windows\system32\grouppolicy\user\registry.pol
or
C:\Windows\system32\grouppolicy\machine\registry.pol

I guess if you wanted the GP to update the GUI, then you could have a crack at modifying the .pol file, but it looks oddly encoded.

Regards,

Rob.
0
 
LVL 6

Author Closing Comment

by:Flipp
ID: 36914651
CHeers Rob - I really appreciate your persistence and care to detail on this one.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36914679
No problem. Thanks for the grade.

Rob.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question