Solved

Script changes to Local Group Policy

Posted on 2011-09-28
10
597 Views
Last Modified: 2012-08-13
I need to rollout changes to a non-domain network which will update each local group policy with a variety of changes.

I figure the most efficient way to do this might be to somehow script the changes, then add the script to Startup folder (or something similar), but am trying to work out how to script?

Windows XP Pro 32bit.

I have seen http://www.msfn.org/board/topic/22802-tools-for-scripting-changes-to-local-group-policy/ but unable to find snapreg.exe anywhere.
0
Comment
Question by:Flipp
  • 5
  • 5
10 Comments
 
LVL 65

Expert Comment

by:RobSampson
Comment Utility
Hi, you will need to use SecEdit to apply a modified policy template.  See here:
http://www.appdeploy.com/tips/detail.asp?id=23

Regards,

Rob.
0
 
LVL 6

Author Comment

by:Flipp
Comment Utility
Thanks Rob.

I see some of the settings from Local Computer Policy, but what about settings listed under Administrative Templates? (e.g. Windows Updates, Windows Firewall)

How would I automate deployment of these settings?
0
 
LVL 65

Expert Comment

by:RobSampson
Comment Utility
For Windows Updates, I think you'll need to add registry settings to your new template to cover the settings, as shown here:
http://support.microsoft.com/kb/328010

You would need to do a similar thing with the Windows Firewall I think:
http://technet.microsoft.com/en-us/library/bb490624.aspx

The local policies aren't designed to be modified automatically, really, so you'll need to do some research into the keys you need to set.

You could look through the .adm template to find the registry keys.

Regards,

Rob.

Rob.
0
 
LVL 6

Author Comment

by:Flipp
Comment Utility
Strangely enough I did set WU via GPMC then changed via registry but this change did not reflect back in GPMC. is this expected? Do I need to run some type of 'Update' script to apply regedit change into GPMC?
0
 
LVL 65

Expert Comment

by:RobSampson
Comment Utility
I have seen registry edits not reflect in GPMC.  The best check would be to check the Windows Automatic Updates GUI for the change, and run
gpupdate /force

as well, and see if the change is still in effect via the registry.

Rob.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 6

Author Comment

by:Flipp
Comment Utility
Thanks Rob - I will re-test this over the next week while I complete some imaging post-deployment tasks.
0
 
LVL 6

Author Comment

by:Flipp
Comment Utility
OK, so I have tested this just now and after modifying registry for AU GP does not change but Automatic Update UI does change. Even after restart and gpupdate /force.

Registry and UI remains in tact.

Is this expected behaviour or is something not right - just need to clear up before signing off on image for all machines.
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 250 total points
Comment Utility
As far as I know, this is by design (or maybe a bug, depending on how you look at it).  If you look at the same policy in GPEdit.msc, and it is "Not Configured", then you can make whatever you change you want to its corresponding registry key, and it will stay that way.  On the other hand, whatever the Policy has as defined, whether that's Enabled, Disabled, or configured to the something else, then it will "reset" the registry change you made at the next Group Policy update.

So, if you want to script it, you have to leave it as Not Configured.

For configured settings, the settings get stored in
C:\Windows\system32\grouppolicy\user\registry.pol
or
C:\Windows\system32\grouppolicy\machine\registry.pol

I guess if you wanted the GP to update the GUI, then you could have a crack at modifying the .pol file, but it looks oddly encoded.

Regards,

Rob.
0
 
LVL 6

Author Closing Comment

by:Flipp
Comment Utility
CHeers Rob - I really appreciate your persistence and care to detail on this one.
0
 
LVL 65

Expert Comment

by:RobSampson
Comment Utility
No problem. Thanks for the grade.

Rob.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now