locked
Can you use PowerShell to change Group Policies? RRS feed

  • Question

  • Is it possible to make group policy setting changes with PowerShell?  For example, let's say you wanted to change the following 

    Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update -> Configure Automatic Updates [change the value from "2" to "4"]

    Instead of manually doing it using Group Policy Management, could I just run a powershell command (or series of commands) to make that change?  If so, what would the command be?

    Thanks!

    Monday, October 15, 2018 12:24 PM

All replies

  • I think set-gpregistryvalue would work, but you have to know the registry key for the group policy (I think it's in the template files).  Automating group policy through powershell is not great.  https://docs.microsoft.com/en-us/powershell/module/grouppolicy/set-gpregistryvalue?view=win10-ps

    • Edited by JS2010 Tuesday, October 16, 2018 3:44 AM
    Monday, October 15, 2018 4:11 PM
  • Hi jrauman,

    Thanks for your question.

    PolicyFileEditor is a PowerShell module to manage local GPO registry.pol files. Commands and DSC resource for modifying Administrative Templates settings in local GPO registry.pol files.

    click this to download this module.

    For example:

    $RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'
    $RegName = 'ScreenSaverIsSecure'
    $RegData = '1'
    $RegType = 'String'
    Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

    Best Regards,

    Lee


    Just do it.

    Tuesday, October 16, 2018 2:48 AM
  • Hi jrauman,

    Thanks for your question.

    PolicyFileEditor is a PowerShell module to manage local GPO registry.pol files. Commands and DSC resource for modifying Administrative Templates settings in local GPO registry.pol files.

    click this to download this module.

    I believe that, if you load and review the module, you will see that it is only for local policy and not for ADGP.

    See: https://github.com/dlwyatt/PolicyFileEditor


    \_(ツ)_/

    Tuesday, October 16, 2018 2:52 AM
  • Hi Jrv,

    Thanks for your remind. I agree with you.

    Best Regards,

    Lee


    Just do it.

    Tuesday, October 16, 2018 3:08 AM
  • Hi,

    I am trying this PolicyFileEditor script for local policies. However, even as an admin trying to run this on my own machine I get access denied. 

    Has anyone had this issue, and what did you do about it? This will be used in SCCM to manage WSUS settings in the local policy on each server.

    Thanks!

    Tuesday, May 14, 2019 1:17 PM
  • It should work.  What is the code and the error message?
    Tuesday, May 14, 2019 2:10 PM
  • Set-PolicyFileEntry : Error saving policy file to path 'C:\WINDOWS\system32\GroupPolicy\Machine\Registry.pol': Exception calling "SaveFile" with "0" argument(s):
    "Access to the path 'C:\WINDOWS\system32\GroupPolicy\Machine\Registry.pol' is denied."

    + Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegNa ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : OperationStopped: (TJX.PolFileEditor.PolFile:PolFile) [Set-PolicyFileEntry], Exception
        + FullyQualifiedErrorId : FailedToSavePolicyFile,Set-PolicyFileEntry

    Thanks!


    • Edited by bvi1998 Tuesday, May 14, 2019 2:26 PM
    Tuesday, May 14, 2019 2:26 PM
  • What's the code?
    Tuesday, May 14, 2019 2:27 PM
  • I mean, what is the powershell that you are running?
    Tuesday, May 14, 2019 2:30 PM
  • Major  Minor  Build  Revision
    -----  -----  -----  --------
    5      1      17134  590
    Tuesday, May 14, 2019 2:37 PM
  • I mean what commands are you running?

    Tuesday, May 14, 2019 2:38 PM
  • Thanks for your patience ;)

    $machinedir = "$env:windir\system32\GroupPolicy\Machine\Registry.pol"

    $RegPath = 'Software\Policies\Microsoft\Windows\WindowsUpdate\AU'
    $RegName = 'UseWUServer'
    $RegData = '1'
    $RegType = 'DWORD'


    Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

    Tuesday, May 14, 2019 2:52 PM
  • It should work.  Are you in an elevated command prompt as admin?

    • Proposed as answer by bvi1998 Tuesday, May 14, 2019 3:03 PM
    Tuesday, May 14, 2019 2:56 PM
  • Hmmm, I guess the issue was that I had done a run as with my elevated domain account, which of course is not the same as running as administrator - even though I am an admin on this laptop.

    Thank you for your time, and sorry to waste it!

    Tuesday, May 14, 2019 3:03 PM
  • Hold up, are you telling me that this worked!?

    And if so if you set it to zero does it make updates go back to using Windows servers?

    Thanks!

    Friday, May 31, 2019 5:57 AM