I am trying to setup a way to script GPO settings on a local machine that is not domain joined/standalone. I was thinking I could script the registry changes and it would reflect in gpedit, but that doesn't seem to be the case. No matter what I do to the registry, the reflected policy does not show when I close/open gpedit again. gpupdate does not do anything, and if I log off/back on, whatever the policy is set to overrides the registry setting I made. I am using powershell to do this, but the scripting portion isn't as much of a question at this time. I want to know if there is a way to get the gpo to reflect/update based off of the registry, and not the other way around?
Thanks in advance
Welcome to SO. Please see this helpful answer. You can use the PolicyFileEditor powershell module.
https://serverfault.com/questions/848388/how-to-edit-local-group-policy-with-a-script
Related
I'm currently trying to change some few things on my work computer (as a challenge) and after few search, came into this matter.
I try to edit a registry that will finally give me freedom (AutoConfigURL of internet explorer).
When I edit it or delete it, it comes back after a short while (matter of seconds).
Which leads me to the conclusion that there is a script somewhere that recreates the registry automatically.
Maybe PowerShell or just a .bat file.
My question being: what are your ideas of finding out where is that script and how to disable it?
Thanks to you all!
You could use Process Monitor to see what's changing the key. It's an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. That might can help you to find out the program which changes the registry key.
You could also try the solution in this answer. Try to set permissions for registry keys. Immediatly remove all the permissions after you edit the registry key, then it will be read only.
I wanted to setup a computer with a variety of settings which I basicly have to do over and over and over again everytime a new user joins our company or changes the computer and I wanted to know if there was a possible way to configure those with a script like I already did with an information colletor script (batch file) and which now works perfectly fine thanks to this webside.
So since I know that here are some really awesome IT Guys with way more experience then me I would love to so something automatic as the next step to save loads of time by simply running a script to configure things like setting up the screensaver, InternetOptions, removing Apps/Softwarelinks in the Start Menu or perhaps even adding links to the bookmark list in firefox or chrome so the user can just start to work and I got loads of time for other important things.
For now it would already be a help to setup a script for Windows 7 but I think we will move more and more to windows 10 so would it be possible to write something to use on both systems without any big changes?
... configure things like setting up the screensaver, InternetOptions,
removing Apps/Softwarelinks in the Start Menu or perhaps even adding
links to the bookmark list in firefox or chrome so the user can just
start to work and I got loads of time for other important things.
Everything you ask about can be configured in a centralized fashion via Active Directory Group Policy. Check the Group Policy Survival Guide page to get started designing the policy for your organization and users.
Group Policy can be defined using PowerShell and via Group Policy Management Console which is GUI-based.
Note that the above will only work if you are in Active Directory domain. If you are not, you still can use Local Group Policy, but you will have to run a script on every user's computer. I am not sure whether there are native PowerShell cmdlets to manage Local Group Policy, but AFAIK you can do that via Windows Registry or using special tools.
I'm writing an NSIS script to upgrade an appliance between versions. The versioning and setup have gotten away from us a bit, as we have many versions in the field, and currently no easy way to upgrade from one version to another. So the first task I have is to write something that they can run on field machines to do everything necessary to bring them to the latest version.
The appliance runs on windows 7. it has 3 users. In the repository for the project there are 4 .msc files that contain group policies to set the appropriate settings for each of these. (computer, non-administrator, admin, appliance)
Is this the right way to go? in trying to power through learning NSIS, it seems easier to write the registry keys directly to HKU /user/... rather than the extra layer of indirection from GPO, given that I'm not doing any sort of distributed system using active directory (which I know approximately nothing about), and just have 3 static users on one static physical machine.
So concise questions:
Which approach makes more sense for my application? GPO files, or direct ntuser.dat editing on the various users.
if GPO makes sense, how do I apply an msc file inside NSIS? double clicking the file works in windows, but then you have the mmc open. oogly. is there a clean way to do it with NSIS?
How does a GPO in the registry under HKCU translate to a system wide policy? it seems to me that what's written to the registry is missing the critical information of which users it applies to (if it applies to a user or group).
Thanks in advance
.msc files usually contain data used by MMC and not policy data, perhaps you mean .adm template files? I don't think you can really apply a .msc file programmatically.
Direct registry editing is probably OK if your application just reads them normally on the other end, otherwise you might need to call gpupdate.
If your policy is stored under Software\Policies then entries in HKLM applies to everyone and entries in HKCU/HKU applies to that user. A normal user cannot change their policy under HKCU because they don't have write access. There is not really a concept of groups when using these keys.
I've got an uninstaller that performs some actions and then prompts the user to reboot. I'd like a directory to be deleted after the reboot takes place. I know there's a way to do this, I'm just not sure how.
I'm using a WiX installer, and I'd imagine I could use that to do so, somehow, but I'm open to alternatives (whatever's simplest is just fine with me). My target platform is Windows 7, though it would be nice if this worked with older versions of Windows as well.
What's the simplest way to mark this directory for deletion after a reboot?
If you have a locked file condition Windows Installer can handle the deletion after the reboot but there is no built-in way of instructing it to only delete it after a reboot. I think the only way you could do it would be to use a custom action to record a RunOnce registry entry that instructs it to do the delete. You can't use the Registry table for this as Windows Installer has no way of recording to the registry as part of an uninstall.
Still, you are coloring outside the lines on this one so I'd want to understand the why of this requirement in determining if it's valid.
Try using SysInternal's "MoveFile". Specify "" as the target and poof! Assuming you don't end up in permission hell... :(
My automatic test-framework tests a bunch of Excel sheets required by our customers with the excel plugins that my team provides. In order to test the sheet I need to call some macros, this in turn requires macro security to be set to lowest on the testing servers. (In production macro security will be on). In particular I need to supress this dialog:
One particular PC seems to resist my attempts to configure it, having set macro security to low from Tools->Macro->Secyrity... I exit Excel and return to it, only to find out that macro security has been reverted to "medium"
I'm guessing that I've inherited a PC which has a registry setting that prevents me from downgrading the security, I've searched around and found "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\Excel\Security]", however this does not seem to do the trick.
I wonder if there is another way to force macro security to it's lowest setting, either programmatically (via COM) or through a simple registry edit.
UPDATE: I'm on Office 2003. My PCs were pre-owned by other users and may have all kinds of configuration inconsistencies. Of all the PC's under my care this issue only affects one machine. I have full admin rights.
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings=1 (REG_DWORD) is the setting you're looking for. It can also exist under HKLM as a machine-wide override. The location also varies by office version; 2003=11.0; 2007=12.0.
Lastly, if you are in a managed IT environment, keep in mind that group policy may be changing it back for you.