How to edit Local Group Policy with a script?

windows scripting powershell group-policy

I have to set the local group policy settings and the the local security policy for a couple of machines which are not in a Windows domain. Until now, I've done that by manually setting the keys in gpedit. Due to the transition to Windows 10, I would like to automate that and use a batch or PowerShell script to set them. It would be very nice if this can be done without 3rd-party tools.

How can I set these policies using Powershell or a batch file?

Thank you for your answers in advance!

Peter


Solution 1:

You can do it in PowerShell using Set-ItemProperty on the Registry provider; e.g. to disable Windows Update Access, you can run:

Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name DisableWindowsUpdateAccess -Value 1

(HKLM:\ being the standard alias for the "Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\" registry drive path.)

List of Group Policy registry keys can be downloaded from Microsoft at Download Group Policy Settings Reference for Windows and Windows Server | Microsoft Download Center

Solution 2:

PolicyFileEditor is a PowerShell module to manage local GPO registry.pol files.

Brandon Padgett provides an example usage:

$RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'
$RegName = 'ScreenSaverIsSecure'
$RegData = '1'
$RegType = 'String'


Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

Solution 3:

There are several CmdLets that can be used to manipulate GPOs (Create, Get-Info, ...). You can easily list them by using

Get-Command -Module GroupPolicy

The most important ones:

New-GPO -Name "My Own GPO" -Comment "This is a new GPO for me"

New-GPO -Name "My Own GPO" | New-GPLink -Target "ou=clients,dc=ad,dc=contoso,dc=com"

Remove-GPLink -Name "My Own GPO" -Target "ou=clients,dc=ad,dc=contoso,dc=com"

Get-GPO -Name "My Own GPO"

Get-GPO -Name "My Own GPO" | Get-GPOReport -ReportType HTML -Path c:\temp\report.html

Set-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut -Type DWord -Value 300

Get-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"

Remove-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut

Invoke-GPUpdate -Computer "ad\server1" -Target "User"

Get-GPResultantSetOfPolicy -Computer dc1 -ReportType HTML -Path c:\temp\dc1rsop.html

This was just taken from here.

Related

Post request in Laravel - Error - 419 Sorry, your session/ 419 your page has expired
How to keep track of class instances?
Why do absolute elements stack up on each other instead of stacking one after the other?
How to scroll List programmatically in SwiftUI?
Why is the parallel package slower than just using apply?
Java 1.6 - determine symbolic links
Find the highest order bit in C [duplicate]
Benefits of Initialization lists
How to update GUI with backgroundworker?
What is the difference between Lisp-1 and Lisp-2?
CSS selector by inline style attribute
Recommended JSF 2.0 CRUD frameworks [closed]