8

I want to update group policy in windows server using command line. I don't want programatic way. I read this & this, and then tried delete registry keys based on the mapping of group policy and registry keys, but the group policy didn't got updated.

Specifically, I want to set Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates to Not configured in group policy.

So, I ran following commands,

C:\Windows\system32>reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v ScheduledInstallTime /f
The operation completed successfully.

C:\Windows\system32>reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v ScheduledInstallDay /f
The operation completed successfully.

C:\Windows\system32>reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /f
The operation completed successfully.

C:\Windows\system32>reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /f
The operation completed successfully.

But after that the group policy wasn't updated. Do I need to run another command to propagate my registry changes to group policy? If yes, what is it? What am I missing?

I tried, gpupdate /force, it overrided my registry changes. I need converse of this.

Community
  • 1
  • 1
Abhishek
  • 6,912
  • 14
  • 59
  • 85
  • 1
    `gpupdate /f` updates Group Policy which will fix what you've done. GP is updated every hour (might be 2 hours). So your changes should be overwritten by your group policy file (group policy changes the registry when it's applied). Changing registry values is not changing Group Policy and GP will overwrite your changes. If your registry changes aren't taking effect then the component probably reads it on startup. –  Oct 03 '16 at 19:13
  • I thought the mapping of registry is for this purpose.Is there a way to solve this? – Abhishek Oct 04 '16 at 08:26
  • Just disable Windows Update service in Services. –  Oct 04 '16 at 08:45
  • That is manual step. I'm trying to automate this step. This is one of the steps in automation. – Abhishek Oct 04 '16 at 13:13
  • 1
    `sc config wuauserv start= disabled` –  Oct 04 '16 at 20:10
  • @Noodles is `disabled` == `not configured` ? Also, how did you found the name of the service? I want to disable few more group policies. – Abhishek Oct 05 '16 at 11:24
  • `sc GetDisplayName Servicename` and `sc getkeyname servicename`. Everything is kept under here in the registry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services`. –  Oct 05 '16 at 16:04
  • @Noodles Got it. Thanks. But that didn't changed the group policy. When I restarted the machine, group policy overrided it again :| – Abhishek Oct 12 '16 at 16:35
  • Yes. That is what group policy does. And it will do it every two hours as well. So change group policy or disable the services after boot and every two hours. –  Oct 12 '16 at 19:39
  • @Noodles So, can I change that group policy using a command? Actually, that is my actual question :) – Abhishek Oct 13 '16 at 17:33
  • No. Need to use the GUI. –  Oct 15 '16 at 04:36
  • @Noodles So, I'll have write c++ code. – Abhishek Oct 19 '16 at 10:53

4 Answers4

9

How to change group policy from the command line? Voila:

LGPO.exe – Local Group Policy Object Utility, v1.0

Glenn Slayden
  • 17,543
  • 3
  • 114
  • 108
4

For group policy objects in a domain, registry-based group policy settings can be configured from the command line using Powershell. If you are not running on a domain controller, the Group Policy Management Console must be installed.

See Group Policy Cmdlets in Windows PowerShell and in particular the Set-GPRegistryValue cmdlet.

You can of course run a Powershell command from the legacy command line, e.g.,

powershell get-gpregistryvalue -Name gpo-name -Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -ValueName AUOptions

As far as I know, there is no command-line solution for local group policy. For local group policy, see Glenn's answer.

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
  • 2
    This is for getting the value, right? I need to set them. – Abhishek Oct 04 '16 at 08:25
  • That was just an example, one I could test easily. If you want to set the group policy, use Set-GPRegistryValue instead of Get-GPRegistryValue. You'll have to figure out the exact syntax yourself. – Harry Johnston Oct 04 '16 at 20:23
  • 1
    It is not working for local group policy, as you said. I need to add the machine to some domain for it to work? :( – Abhishek Oct 05 '16 at 09:28
  • If you have to manipulate local group policy from the command line, you'll need to look for a third-party tool, or write your own. It might be quicker just to use the GUI, depending I guess on just how many machines you're talking about. – Harry Johnston Oct 05 '16 at 20:24
  • Can you suggest any 3rd party tool? I've looked on web and found a source code, in a language not known to me. It's extension was `.au3` – Abhishek Oct 12 '16 at 16:35
  • [This answer](http://stackoverflow.com/a/35365605/886887) may be useful, discussing the IGroupPolicyObject COM interface. I believe you can use COM in Powershell, though it would probably be too complicated to turn into a one-liner. – Harry Johnston Oct 19 '16 at 08:46
  • Got it. Thanks for the link, it is similar to the links I shared. Logically, a single command should have sufficed, as we are finding a `key` and setting it's `value`. I'm not sure why MS didn't gave this feature/command to user. – Abhishek Oct 19 '16 at 10:53
  • 1
    That would be the -100 points principle, see https://technet.microsoft.com/en-us/library/dn167709.aspx ; in short, very few people would use such a feature, so it wouldn't be cost-effective to implement. – Harry Johnston Oct 19 '16 at 22:36
  • Nice one. Thanks for making me aware if it. – Abhishek Oct 21 '16 at 14:50
  • @HarryJohnson regarding "there is no command-line solution for local group policy." -- see https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/ – Glenn Slayden Oct 30 '16 at 23:58
  • @GlennSlayden: excellent. You should post that as an answer. – Harry Johnston Oct 31 '16 at 01:03
3

Set-GPRegistryValue is the way to go here. The problem, which is common, is that you have the GP path and you need to raw data. You can get the raw data (Keypath and value) from the settings spreadsheet, from the ADMX file (if administrative template setting) or from a free tool call registry.pol viewer from GPOGuy.

The commands you put up clean up registry data, these cmdlets don't do that. They add values to the registry.pol file (or registry.xml for GP Preference) stored in the GPO. Those settings are then sent down to target systems and applied to registry. Also, for non-registry based policy and ability to automate settings across local policies search "Group Policy Automation" there is a solution out there you may want to look at.

Kevin
  • 46
  • 1
  • According to the OP, at least, Set-GPRegistryValue doesn't work for local group policy. – Harry Johnston Nov 03 '16 at 22:55
  • Set-GPRegsitryValue does not work against local policy directly - there are 1) third party options here (search 'automating group policy') and there are 2) 'hacks' where you can take domain based GP data and port it to local policy but I wouldn't not suggest them. the 3) LGPO tool is OK if the local policy piece is required but not super flexible. – Kevin Nov 04 '16 at 15:07
  • also @HarryJohnston apologies, I didn't see the local policy mention in the OP, I had neglected to expand the comment. My mistake. – Kevin Nov 04 '16 at 15:10
  • @Kevin As `Set-GPRegistryValue` changes registry value, it will be overridden in next restart. Correct? – Abhishek Nov 18 '16 at 11:53
  • Sorry for delay @Abhishek - so set-gpregistryvalue does not change the registry... it changes the registry.pol in the GPO. The actual registry is not updated until the group policy is linked and client system refreshes policy. When the client target updates policy with this new registry.pol file it will store the data in the appropriate place in the registry and will not be overridden on next restart. – Kevin Nov 23 '16 at 14:37
  • Great. Let me give it a try and get back. – Abhishek Nov 27 '16 at 04:48
0

Group Policy Settings Reference for Windows and Windows Server
https://www.microsoft.com/en-us/download/details.aspx?id=25250 https://download.microsoft.com/download/8/F/B/8FBD2E85-8852-45EC-8465-92756EBD9365/Windows10andWindowsServer2016PolicySettings.xlsx

Mostly stored in the registry. Find the reference above, then use reg.exe command line to modify them.

Boontawee Home
  • 935
  • 7
  • 15