Mark Russinovich has an excellent article on circumventing Group Policy changes.

Group policy settings are an integral part of any Windows-based IT environment. If you’re a network administrator you use them to enforce corporate security and desktop management policy, and if you’re a user you’ve almost certainly been frustrated by the limitations imposed by those policies. Regardless of which you are, you should be aware that if the users in your network belong to the local administrator’s group they can get around policies any time they want.

There are two steps to circumventing a group policy setting: identifying the setting’s location and preventing the setting from being applied. There are many group policy references available, but since machine group policy settings store in the HKEY_LOCAL_MACHINE branch of the Registry and per-user group policy settings store in HKEY_CURRENT_USER, if you don’t know the location of the setting that’s preventing you from doing something you want you can use Regmon to find it.

The number of desktop lockdown settings available to group policy administrators is enormous. They can prevent you from doing anything from changing your desktop appearance and start menu to running certain applications. Two commonly applied settings include a pre-configured screen saver program so that users don’t waste resources on frivolous screen savers, and a screen saver timeout so that systems aren’t left indefinitely accessible when a user steps away. When these settings are in effect Windows omits the screen saver tab of display properties control panel applet or doesn’t let you modify the screen saver or its timeout. I’m going to show you how to use the power of being a local administrator and Regmon to track down these settings and override them on your own system.

While it goes into the Registry Monitor, Process Monitor also exists these days which combines several monitoring tools into one. It allows you to find the registry keys that are being modified. Just jump to the relevant registry keys and change their permissions such that they can't be updated anymore...

Check out what you can do with the reg command; you can verify access with accesschk.


The following tool, from Microsoft TechNet, allows management of Group Policy via the command line, and thus scripting as well:

Local Group Policy Object Utility, v1.0


Group policy for the local machine is stored in the registry.

The lame approach for modifying it, is via the Command Prompt using the reg command. This is less than practical because it requires absolute knowledge of each and every local policy registry setting, and errors here may be quite disastrous.

The tool to use instead is PowerShell, Microsoft's successor to the Command Prompt.

Some articles that can start you on the way to using PowerShell cmdlets for local policy changes are :

Use Windows PowerShell to Manage Group Policy
Windows PowerShell Cmdlets for Group Policy
Group Policy management for IT pros
Group Policy
Group Policy Settings Reference for Windows and Windows Server