Push GPO settings to client when not on a domain


  • Sorry, my knowledge on this subject is sparse, but I'd like to know if it is possible to push GPO settings to a client when we have no Active Directory or domain controllers. Just a work group of a dozen computers.

    Reason: We use WSUS for updates. One person continually overrides this and checks online for updates.

    I can enable to the policy setting to disable links, but want to be able to push this setting out to the client(s) automatically. Actually, I'd like to do it for all of the WSUS setting for the clients.

    Is it possible?


    • Edited by TanyaM0205 Sunday, July 19, 2015 1:30 AM
    Sunday, July 19, 2015 1:29 AM


All replies

  • Hi

     Very short answer NO,if you don't have Domain Controller&Domain (group policy management service)you could not apply any gpo to clients.

     Also if you have Proxy device or Firewall,you could configure a rule to block this links(adresses) to this specific clients.So there will not update from this link's anymore.

    Sunday, July 19, 2015 12:47 PM
  • Hi, thanks for getting back to me. I had come to the same conclusion after searching for what seemed an eternity.

    However, there might be a workaround.

    The Group Policy settings are stored in c:\windows\system32\grouppolicy. Since the settings are the same for most clients I could copy that folder to the client at login.

    So, I have set up a simple batch script to check if computername, and copy the grouppolicy folder to the above location.

    However, I'm not sure of the scope of the login. The user connects to multiple mapped shares. A credential has been set up to handle the authentication

    So, do I need to edit the local policy on the client to add a login script, or edit the local policy on the server?

    This is the script (ignore the computer name, it's not the real computer name)..

    @Echo Off
    If "%computername%"=="XXXXXX" Goto DoIT
    Goto END
     net use z: \\server\tools >NUL
     xcopy z:\grouppolicy\*.* c:\Windows\System32\ /i/e/c/y/q/h >NUL
     net use z: /delete >NUL

    Monday, July 20, 2015 1:53 AM
  • Hi

     You could edit local policy on client by script(so you need to configure clients local policies.),if you're not sure about the script,you should ask this on powershell&script forums.

    Monday, July 20, 2015 5:57 AM
  • > So, I have set up a simple batch script to check if computername, and
    > copy the grouppolicy folder to the above location.
    So, then your GPO settings are on a local drive. Doesn't matter - a
    computer will not process GPOs (none!) if it cannot locate a domain

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, July 20, 2015 12:46 PM