How to edit Local Group Policy with a script?
Solution 1
You can do it in PowerShell using Set-ItemProperty
on the Registry provider; e.g. to disable Windows Update Access, you can run:
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name DisableWindowsUpdateAccess -Value 1
(HKLM:\ being the standard alias for the "Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\" registry drive path.)
List of Group Policy registry keys can be downloaded from Microsoft at Download Group Policy Settings Reference for Windows and Windows Server | Microsoft Download Center
Solution 2
PolicyFileEditor is a PowerShell module to manage local GPO registry.pol files.
Brandon Padgett provides an example usage:
$RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'
$RegName = 'ScreenSaverIsSecure'
$RegData = '1'
$RegType = 'String'
Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType
Solution 3
There are several CmdLets that can be used to manipulate GPOs (Create, Get-Info, ...). You can easily list them by using
Get-Command -Module GroupPolicy
The most important ones:
New-GPO -Name "My Own GPO" -Comment "This is a new GPO for me"
New-GPO -Name "My Own GPO" | New-GPLink -Target "ou=clients,dc=ad,dc=contoso,dc=com"
Remove-GPLink -Name "My Own GPO" -Target "ou=clients,dc=ad,dc=contoso,dc=com"
Get-GPO -Name "My Own GPO"
Get-GPO -Name "My Own GPO" | Get-GPOReport -ReportType HTML -Path c:\temp\report.html
Set-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut -Type DWord -Value 300
Get-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"
Remove-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut
Invoke-GPUpdate -Computer "ad\server1" -Target "User"
Get-GPResultantSetOfPolicy -Computer dc1 -ReportType HTML -Path c:\temp\dc1rsop.html
This was just taken from here.
Related videos on Youtube
P. Egli
Updated on September 18, 2022Comments
-
P. Egli over 1 year
I have to set the local group policy settings and the the local security policy for a couple of machines which are not in a Windows domain. Until now, I've done that by manually setting the keys in gpedit. Due to the transition to Windows 10, I would like to automate that and use a batch or PowerShell script to set them. It would be very nice if this can be done without 3rd-party tools.
How can I set these policies using Powershell or a batch file?
Thank you for your answers in advance!
Peter
-
P. Egli about 7 yearsThank you very much! But by changing the Registry directly the policy will not enforce the actual registry value if changed due to any reason. So is there a possibility to set the Group Policy which then sets the registry accordingly?
-
Pak about 7 yearsYou can run gpupdate to get the computer to reload the settings; in the same way as you would when loading the values directly in the registry via regedit. E.g.
gpupdate /force /target:computer
-
Pak about 7 yearsI should add that the Group Policy Editor just reads and sets the registry values, so setting the registry settings has the same effect as setting the group policy.
-
P. Egli about 7 yearsChanging the registry manually isn't the same as setting a policy. When the corresponding registry value is set in gpedit and a user changes the entry gpupdate will enforce the set value at boot time. If I set a value fpr the machine policy in the registry using regedit, this does not lead to a correct entry in the policy. Therefore, if the value get's changed due to an arbitrary reason, gpupdate will not correct this setting. But that's what I am looking for. So, is there a possibility to setup the *.pol file using a batch script or a PowerShell script?
-
escalator about 4 yearsRequires Group Policy Management Console, Remote Server Administration Tools must be installed first (on Windows 10 available with Pro or Enterprise editions)
-
LCC over 3 yearsThis does not set the Local Group Policy, as was asked. Registry settings are overwritten with the local policy (and group policy, if the machine is in a domain), so this answer does not yield the expected results. See this answer
-
Dragas over 2 years@escalator You can install it using
add-windowsfeature gpmc
-
SamB about 2 yearsSeems like it needs a domain controller?