I have to set the local group policy settings and the the local security policy for a couple of machines which are not in a Windows domain. Until now, I've done that by manually setting the keys in gpedit. Due to the transition to Windows 10, I would like to automate that and use a batch or PowerShell script to set them. It would be very nice if this can be done without 3rd-party tools.
How can I set these policies using Powershell or a batch file?
Thank you for your answers in advance!
Peter
PolicyFileEditor is a PowerShell module to manage local GPO registry.pol files.
Brandon Padgett provides an example usage:
$RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'
$RegName = 'ScreenSaverIsSecure'
$RegData = '1'
$RegType = 'String'
Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType
You can do it in PowerShell using Set-ItemProperty on the Registry provider; e.g. to disable Windows Update Access, you can run:
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name DisableWindowsUpdateAccess -Value 1
(HKLM:\ being the standard alias for the "Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\" registry drive path.)
List of Group Policy registry keys can be downloaded from Microsoft at Download Group Policy Settings Reference for Windows and Windows Server | Microsoft Download Center
There are several CmdLets that can be used to manipulate GPOs (Create, Get-Info, ...). You can easily list them by using
Get-Command -Module GroupPolicy
The most important ones:
New-GPO -Name "My Own GPO" -Comment "This is a new GPO for me"
New-GPO -Name "My Own GPO" | New-GPLink -Target "ou=clients,dc=ad,dc=contoso,dc=com"
Remove-GPLink -Name "My Own GPO" -Target "ou=clients,dc=ad,dc=contoso,dc=com"
Get-GPO -Name "My Own GPO"
Get-GPO -Name "My Own GPO" | Get-GPOReport -ReportType HTML -Path c:\temp\report.html
Set-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut -Type DWord -Value 300
Get-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"
Remove-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut
Invoke-GPUpdate -Computer "ad\server1" -Target "User"
Get-GPResultantSetOfPolicy -Computer dc1 -ReportType HTML -Path c:\temp\dc1rsop.html
This was just taken from here.
Great script from Microsoft that goes into more detail on editing registry property values via Powershell using the Set-ItemProperty and other cmdlets. As has been stated, this doesn't appear to update the local policy editor's GUI so you'd probably want to use the PolicyFileEditor if that's an issue for you. I have to do this on remote machines using a 3rd party MDM and I want to eliminate as many dependancies as possible so I'm just sticking with out of the box commands. Hope this helps piece all of this together for others.
Because my users have the ability to change settings as local admins, I'm also just going to re-run this script each day. Unfortunately gpupdate /force /target:computer doesn't seem to update the settings for me (I'm changing screen lock out time) so the machines will have to reboot for the changes to take effect.
