Scenario / Questions

I have to set the local group policy settings and the the local security policy for a couple of machines which are not in a Windows domain. Until now, I’ve done that by manually setting the keys in gpedit. Due to the transition to Windows 10, I would like to automate that and use a batch or PowerShell script to set them. It would be very nice if this can be done without 3rd-party tools.

How can I set these policies using Powershell or a batch file?

Thank you for your answers in advance!


Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

You can do it in PowerShell using Set-ItemProperty on the Registry provider; e.g. to disable Windows Update Access, you can run:

Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name DisableWindowsUpdateAccess -Value 1

(HKLM:\ being the standard alias for the “Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\” registry drive path.)

List of Group Policy registry keys can be downloaded from Microsoft at Download Group Policy Settings Reference for Windows and Windows Server | Microsoft Download Center

Suggestion: 2

PolicyFileEditor is a PowerShell module to manage local GPO registry.pol files.

Brandon Padgett provides an example usage:

$RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'
$RegName = 'ScreenSaverIsSecure'
$RegData = '1'
$RegType = 'String'

Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

Suggestion: 3

There are several CmdLets that can be used to manipulate GPOs (Create, Get-Info, …). You can easily list them by using

Get-Command -Module GroupPolicy

The most important ones:

New-GPO -Name "My Own GPO" -Comment "This is a new GPO for me"

New-GPO -Name "My Own GPO" | New-GPLink -Target "ou=clients,dc=ad,dc=contoso,dc=com"

Remove-GPLink -Name "My Own GPO" -Target "ou=clients,dc=ad,dc=contoso,dc=com"

Get-GPO -Name "My Own GPO"

Get-GPO -Name "My Own GPO" | Get-GPOReport -ReportType HTML -Path c:\temp\report.html

Set-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut -Type DWord -Value 300

Get-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"

Remove-GPRegistryValue -Name "My Own GPO" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut

Invoke-GPUpdate -Computer "ad\server1" -Target "User"

Get-GPResultantSetOfPolicy -Computer dc1 -ReportType HTML -Path c:\temp\dc1rsop.html

This was just taken from here.