25

I have to set the local group policy settings and the the local security policy for a couple of machines which are not in a Windows domain. Until now, I've done that by manually setting the keys in gpedit. Due to the transition to Windows 10, I would like to automate that and use a batch or PowerShell script to set them. It would be very nice if this can be done without 3rd-party tools.

How can I set these policies using Powershell or a batch file?

Thank you for your answers in advance!

Peter

Improve this question

4 Answers 4

Reset to default
13

PolicyFileEditor is a PowerShell module to manage local GPO registry.pol files.

Brandon Padgett provides an example usage:

$RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'
$RegName = 'ScreenSaverIsSecure'
$RegData = '1'
$RegType = 'String'


Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType
Improve this answer
10

You can do it in PowerShell using Set-ItemProperty on the Registry provider; e.g. to disable Windows Update Access, you can run:

Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name DisableWindowsUpdateAccess -Value 1

(HKLM:\ being the standard alias for the "Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\" registry drive path.)

List of Group Policy registry keys can be downloaded from Microsoft at Download Group Policy Settings Reference for Windows and Windows Server | Microsoft Download Center

Improve this answer
5
  • 2
    Thank you very much! But by changing the Registry directly the policy will not enforce the actual registry value if changed due to any reason. So is there a possibility to set the Group Policy which then sets the registry accordingly?
    – P. Egli
    Commented May 5, 2017 at 18:32
  • You can run gpupdate to get the computer to reload the settings; in the same way as you would when loading the values directly in the registry via regedit. E.g. gpupdate /force /target:computer
    – Pak
    Commented May 5, 2017 at 21:55
  • 1
    I should add that the Group Policy Editor just reads and sets the registry values, so setting the registry settings has the same effect as setting the group policy.
    – Pak
    Commented May 5, 2017 at 22:05
  • 12
    Changing the registry manually isn't the same as setting a policy. When the corresponding registry value is set in gpedit and a user changes the entry gpupdate will enforce the set value at boot time. If I set a value fpr the machine policy in the registry using regedit, this does not lead to a correct entry in the policy. Therefore, if the value get's changed due to an arbitrary reason, gpupdate will not correct this setting. But that's what I am looking for. So, is there a possibility to setup the *.pol file using a batch script or a PowerShell script?
    – P. Egli
    Commented May 7, 2017 at 9:58
  • 7
    This does not set the Local Group Policy, as was asked. Registry settings are overwritten with the local policy (and group policy, if the machine is in a domain), so this answer does not yield the expected results. See this answer
    – LCC
    Commented Oct 21, 2020 at 11:17
3

There are several CmdLets that can be used to manipulate GPOs (Create, Get-Info, ...). You can easily list them by using

Get-Command -Module GroupPolicy

The most important ones:

New-GPO -Name "My Own GPO" -Comment "This is a new GPO for me"

New-GPO -Name "My Own GPO" | New-GPLink -Target "ou=clients,dc=ad,dc=contoso,dc=com"

Remove-GPLink -Name "My Own GPO" -Target "ou=clients,dc=ad,dc=contoso,dc=com"

Get-GPO -Name "My Own GPO"

Get-GPO -Name "My Own GPO" | Get-GPOReport -ReportType HTML -Path c:\temp\report.html

Set-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut -Type DWord -Value 300

Get-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"

Remove-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut

Invoke-GPUpdate -Computer "ad\server1" -Target "User"

Get-GPResultantSetOfPolicy -Computer dc1 -ReportType HTML -Path c:\temp\dc1rsop.html

This was just taken from here.

Improve this answer
4
  • 6
    Requires Group Policy Management Console, Remote Server Administration Tools must be installed first (on Windows 10 available with Pro or Enterprise editions)
    – escalator
    Commented Apr 22, 2020 at 13:31
  • @escalator You can install it using add-windowsfeature gpmc
    – Dragas
    Commented Dec 15, 2021 at 9:14
  • 1
    Seems like it needs a domain controller?
    – SamB
    Commented Mar 18, 2022 at 17:26
  • 3
    This answer applies to group policies in an active directory. The question is about machines that are not in a windows domain.
    – Dr Phil
    Commented May 13, 2023 at 20:03
0

Great script from Microsoft that goes into more detail on editing registry property values via Powershell using the Set-ItemProperty and other cmdlets. As has been stated, this doesn't appear to update the local policy editor's GUI so you'd probably want to use the PolicyFileEditor if that's an issue for you. I have to do this on remote machines using a 3rd party MDM and I want to eliminate as many dependancies as possible so I'm just sticking with out of the box commands. Hope this helps piece all of this together for others.

Because my users have the ability to change settings as local admins, I'm also just going to re-run this script each day. Unfortunately gpupdate /force /target:computer doesn't seem to update the settings for me (I'm changing screen lock out time) so the machines will have to reboot for the changes to take effect.

Improve this answer
1
  • Registry is not group policies.
    – gargoylebident
    Commented Nov 3, 2023 at 15:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .