Change group policy using windows CMD

windows-xp command-line windows-update group-policy wsus
129,569

Solution 1

Mark Russinovich has an excellent article on circumventing Group Policy changes.

Group policy settings are an integral part of any Windows-based IT environment. If you’re a network administrator you use them to enforce corporate security and desktop management policy, and if you’re a user you’ve almost certainly been frustrated by the limitations imposed by those policies. Regardless of which you are, you should be aware that if the users in your network belong to the local administrator’s group they can get around policies any time they want.

There are two steps to circumventing a group policy setting: identifying the setting’s location and preventing the setting from being applied. There are many group policy references available, but since machine group policy settings store in the HKEY_LOCAL_MACHINE branch of the Registry and per-user group policy settings store in HKEY_CURRENT_USER, if you don’t know the location of the setting that’s preventing you from doing something you want you can use Regmon to find it.

The number of desktop lockdown settings available to group policy administrators is enormous. They can prevent you from doing anything from changing your desktop appearance and start menu to running certain applications. Two commonly applied settings include a pre-configured screen saver program so that users don’t waste resources on frivolous screen savers, and a screen saver timeout so that systems aren’t left indefinitely accessible when a user steps away. When these settings are in effect Windows omits the screen saver tab of display properties control panel applet or doesn’t let you modify the screen saver or its timeout. I’m going to show you how to use the power of being a local administrator and Regmon to track down these settings and override them on your own system.

While it goes into the Registry Monitor, Process Monitor also exists these days which combines several monitoring tools into one. It allows you to find the registry keys that are being modified. Just jump to the relevant registry keys and change their permissions such that they can't be updated anymore...

Check out what you can do with the reg command; you can verify access with accesschk.

Solution 2

The following tool, from Microsoft TechNet, allows management of Group Policy via the command line, and thus scripting as well:

Local Group Policy Object Utility, v1.0

Solution 3

Group policy for the local machine is stored in the registry.

The lame approach for modifying it, is via the Command Prompt using the reg command. This is less than practical because it requires absolute knowledge of each and every local policy registry setting, and errors here may be quite disastrous.

The tool to use instead is PowerShell, Microsoft's successor to the Command Prompt.

Some articles that can start you on the way to using PowerShell cmdlets for local policy changes are :

Use Windows PowerShell to Manage Group Policy
Windows PowerShell Cmdlets for Group Policy
Group Policy management for IT pros
Group Policy
Group Policy Settings Reference for Windows and Windows Server

Share:
129,569

Related videos on Youtube

Anthony Miller
Author by

Anthony Miller

"Your competition is a hungry immigrant with a digital handheld assistant. America is made up of immigrants... if your children are to be successful they must act like immigrants in their own country. Just by being born here doesn't give you the ability to be successful... it is the work ethic... the pioneering ethic... the service ethic that will win. Your competition is always a hungry immigrant with a digital assistant: hungry in the belly for food, hungry in the mind for knowledge, and the hunger is something that should never leave you." ~Dr. Dennis Waitley

Updated on September 18, 2022

Comments

  • Anthony Miller
    Anthony Miller over 1 year

    I want to change the group policy setting that applies the value of the Windows Update WSUS server location HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer and HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer.

    Changing them directly in the registry will not overwrite what has been set in the group policy, so I would like to know, what commands can I use to change the group policy input of these values instead?

  • Anthony Miller
    Anthony Miller over 12 years
    I didn't specify, but this is an enterprise environment and dependencies are not acceptable (i.e. non-inclusive tools).
  • Sopalajo de Arrierez
    Sopalajo de Arrierez over 8 years
    Thanks for the method, Tom. But it captures too much data when dealing with changes made by gpedit.msc. I think this is rather a different question, so I have opened a new thread here: superuser.com/questions/946123/…
  • Glenn Slayden
    Glenn Slayden over 7 years
    As appealing as the PowerShell GroupPolicy cmdlet seems, apparently (and surprisingly) it cannot be used in the simplest case, namely, to manage local machine or user policies on a non-domain joined machine. Indeed your first link states that the cmdlet requires AD, but before noticing this, I struggled to get the GP cmdlet working using on a standalone Windows 10 Pro client and latest PowerShell. I was encouraged at first that RSAT (a prerequisite of the GP cmdlet) installed successfully, but in the end, the cmdlet was never satisfied with the strength of the local Administrator credentials.
  • Suncatcher
    Suncatcher almost 6 years
    @GlennSlayden, could you please tell more about your tensions? You installed RSAT but anyway failed because you machine wasn't in the domain, because of weakness of your password? Why?
  • Glenn Slayden
    Glenn Slayden almost 6 years
    @Suncatcher My best guess is that it was because it’s a standalone machine with no domain. As I mentioned, I originally either did not notice this requirement (or perhaps didn’t believe it would be a showstopper).
  • escalator
    escalator about 4 years
    As far as I tested, changing Registry Keys has no effect on the appropriate Group Policies.
  • Rikin Patel
    Rikin Patel almost 4 years
    Please read que. properly... You ans. is funny ..... :)
  • Community
    Community about 2 years
    As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Stop Feature upgrades and properly manage them via WSUS
Windows Update when Group Policy Forbids
Remove machines from WSUS
Configuring location based GPO for WSUS updates but only for some clients
Clients not updating with approved updates from WSUS
WSUS & GPOS - Force restart and disable choosing updates W12R2
Users are seeing Windows Update notification on Terminal Servers. How to stop it?
How to disable WSUS on our domain?
Edit Windows Update GPO Via Command Line
Lost use of forward slash in windows command prompt