[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Script changes to Local Group Policy

Posted on 2011-09-28
10
Medium Priority
?
610 Views
Last Modified: 2012-08-13
I need to rollout changes to a non-domain network which will update each local group policy with a variety of changes.

I figure the most efficient way to do this might be to somehow script the changes, then add the script to Startup folder (or something similar), but am trying to work out how to script?

Windows XP Pro 32bit.

I have seen http://www.msfn.org/board/topic/22802-tools-for-scripting-changes-to-local-group-policy/ but unable to find snapreg.exe anywhere.
0
Comment
Question by:Flipp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 65

Expert Comment

by:RobSampson
ID: 36722765
Hi, you will need to use SecEdit to apply a modified policy template.  See here:
http://www.appdeploy.com/tips/detail.asp?id=23

Regards,

Rob.
0
 
LVL 6

Author Comment

by:Flipp
ID: 36794213
Thanks Rob.

I see some of the settings from Local Computer Policy, but what about settings listed under Administrative Templates? (e.g. Windows Updates, Windows Firewall)

How would I automate deployment of these settings?
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36812707
For Windows Updates, I think you'll need to add registry settings to your new template to cover the settings, as shown here:
http://support.microsoft.com/kb/328010

You would need to do a similar thing with the Windows Firewall I think:
http://technet.microsoft.com/en-us/library/bb490624.aspx

The local policies aren't designed to be modified automatically, really, so you'll need to do some research into the keys you need to set.

You could look through the .adm template to find the registry keys.

Regards,

Rob.

Rob.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 6

Author Comment

by:Flipp
ID: 36812720
Strangely enough I did set WU via GPMC then changed via registry but this change did not reflect back in GPMC. is this expected? Do I need to run some type of 'Update' script to apply regedit change into GPMC?
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36813016
I have seen registry edits not reflect in GPMC.  The best check would be to check the Windows Automatic Updates GUI for the change, and run
gpupdate /force

as well, and see if the change is still in effect via the registry.

Rob.
0
 
LVL 6

Author Comment

by:Flipp
ID: 36913760
Thanks Rob - I will re-test this over the next week while I complete some imaging post-deployment tasks.
0
 
LVL 6

Author Comment

by:Flipp
ID: 36914055
OK, so I have tested this just now and after modifying registry for AU GP does not change but Automatic Update UI does change. Even after restart and gpupdate /force.

Registry and UI remains in tact.

Is this expected behaviour or is something not right - just need to clear up before signing off on image for all machines.
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 1000 total points
ID: 36914636
As far as I know, this is by design (or maybe a bug, depending on how you look at it).  If you look at the same policy in GPEdit.msc, and it is "Not Configured", then you can make whatever you change you want to its corresponding registry key, and it will stay that way.  On the other hand, whatever the Policy has as defined, whether that's Enabled, Disabled, or configured to the something else, then it will "reset" the registry change you made at the next Group Policy update.

So, if you want to script it, you have to leave it as Not Configured.

For configured settings, the settings get stored in
C:\Windows\system32\grouppolicy\user\registry.pol
or
C:\Windows\system32\grouppolicy\machine\registry.pol

I guess if you wanted the GP to update the GUI, then you could have a crack at modifying the .pol file, but it looks oddly encoded.

Regards,

Rob.
0
 
LVL 6

Author Closing Comment

by:Flipp
ID: 36914651
CHeers Rob - I really appreciate your persistence and care to detail on this one.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 36914679
No problem. Thanks for the grade.

Rob.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question