• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 628
  • Last Modified:

Script changes to Local Group Policy

I need to rollout changes to a non-domain network which will update each local group policy with a variety of changes.

I figure the most efficient way to do this might be to somehow script the changes, then add the script to Startup folder (or something similar), but am trying to work out how to script?

Windows XP Pro 32bit.

I have seen http://www.msfn.org/board/topic/22802-tools-for-scripting-changes-to-local-group-policy/ but unable to find snapreg.exe anywhere.
0
Flipp
Asked:
Flipp
  • 5
  • 5
1 Solution
 
RobSampsonCommented:
Hi, you will need to use SecEdit to apply a modified policy template.  See here:
http://www.appdeploy.com/tips/detail.asp?id=23

Regards,

Rob.
0
 
FlippAuthor Commented:
Thanks Rob.

I see some of the settings from Local Computer Policy, but what about settings listed under Administrative Templates? (e.g. Windows Updates, Windows Firewall)

How would I automate deployment of these settings?
0
 
RobSampsonCommented:
For Windows Updates, I think you'll need to add registry settings to your new template to cover the settings, as shown here:
http://support.microsoft.com/kb/328010

You would need to do a similar thing with the Windows Firewall I think:
http://technet.microsoft.com/en-us/library/bb490624.aspx

The local policies aren't designed to be modified automatically, really, so you'll need to do some research into the keys you need to set.

You could look through the .adm template to find the registry keys.

Regards,

Rob.

Rob.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
FlippAuthor Commented:
Strangely enough I did set WU via GPMC then changed via registry but this change did not reflect back in GPMC. is this expected? Do I need to run some type of 'Update' script to apply regedit change into GPMC?
0
 
RobSampsonCommented:
I have seen registry edits not reflect in GPMC.  The best check would be to check the Windows Automatic Updates GUI for the change, and run
gpupdate /force

as well, and see if the change is still in effect via the registry.

Rob.
0
 
FlippAuthor Commented:
Thanks Rob - I will re-test this over the next week while I complete some imaging post-deployment tasks.
0
 
FlippAuthor Commented:
OK, so I have tested this just now and after modifying registry for AU GP does not change but Automatic Update UI does change. Even after restart and gpupdate /force.

Registry and UI remains in tact.

Is this expected behaviour or is something not right - just need to clear up before signing off on image for all machines.
0
 
RobSampsonCommented:
As far as I know, this is by design (or maybe a bug, depending on how you look at it).  If you look at the same policy in GPEdit.msc, and it is "Not Configured", then you can make whatever you change you want to its corresponding registry key, and it will stay that way.  On the other hand, whatever the Policy has as defined, whether that's Enabled, Disabled, or configured to the something else, then it will "reset" the registry change you made at the next Group Policy update.

So, if you want to script it, you have to leave it as Not Configured.

For configured settings, the settings get stored in
C:\Windows\system32\grouppolicy\user\registry.pol
or
C:\Windows\system32\grouppolicy\machine\registry.pol

I guess if you wanted the GP to update the GUI, then you could have a crack at modifying the .pol file, but it looks oddly encoded.

Regards,

Rob.
0
 
FlippAuthor Commented:
CHeers Rob - I really appreciate your persistence and care to detail on this one.
0
 
RobSampsonCommented:
No problem. Thanks for the grade.

Rob.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now