Edit Local Group Policy With Power Shell Scripting
- I need to edit local group policy object using Powershell but I can't do that. I have tried to google but didn't find anything really useful. >>I need to edit local group policy object using Powershell but I can't do that. This is a fundamental retraction in Windows. The security database is not available to scripts or most programs.
- This Blog post shows you how to change the PowerShell MachinePolicy Execution Policy on WIndows Server 2012 R2 so you don't get any errors! Change the PowerShell MachinePolicy Execution Policy in Windows Server 2012R2. This is because your local group policy to allow scripts to run on the system is probably “not configured”.
- Edit Local Group Policy Setting using powershell or registry in windows 7 Hello there, I would like to change a local group policy setting on windows 7 using powershell.
- Feb 01, 2017 I need to edit local group policy object using Powershell but I can't do that. I have tried to google but didn't find anything really useful. >>I need to edit local group policy object using Powershell but I can't do that. You cannot change local security settings with a script of any kind. It can only be done via SECEDIT.
The problem is that for my requirement I cannot rely on the machine in question having anything like powershell. I want to be able to run a script/command and get/set the values of things inside Local Group Policy Editor. Every new PowerShell user negotiates the infamous 'Execution Policy' when trying to run a script for the first time Why can't I just run a script? Execution Policy and Group Policy.admx file adds the 'Turn on Script Execution' policy to the Computer Configuration and User Configuration nodes in Group Policy Editor in the.
I use Windows Server 2012.
I can do this:
In Administrative Tools folder, double click the Local Security Policy icon, expand Account Policies and click Password Policy.
In the right pane double click Password must meet complexity requirements and set it to Disabled. Click OK to save your policy change.
How can I do it programmatically using Powershell?
3 Answers
There is no pure powershell way of doing it as per @Kayasax's answer, you have to wrap secedit into Powershell.
RafRafI use Windows 7
I have solved it by using the following powershell script
This script will automatically run as admin, if not already opened in admin mode
I Also tried the script Raf wrote. I had version 2.0, but I only got it to work with version 4.0
PavenhimselfPavenhimselfI decided to write a couple functions to make this process easier.
Parse-SecPol : will turn Local Security Policy into a PsObject. You can view all the properties and make changed to the object.
Set-SecPol : will turn the Parse-SecPol object back into a config file and import it to into the Local Security Policy.
Here is a example of its usage :
ArcSetArcSetNot the answer you're looking for? Browse other questions tagged powershelllocal-security-policy or ask your own question.
How would I go about getting a Powershell script on a set of computers to run periodically throughout the day while the computer is on? (we already use the 'at startup' or 'at logon' but some of the computers are left on without logins for days. We also can't use a regular Scheduled Task because these scripts report data to a server, and we don't want 300 computers hitting the server all at the same second. We also would like to avoid having the script be left running, with the delays determined by the script, because it sometimes crashes.)
Is there a way to either:
I guess one way to do this as a Scheduled Task would be to have a random delay of 0-5 min at the beginning of the script, but then we'd like to avoid that delay when testing or when invoked at startup or login.
2 Answers
Is there a way to run a script when the GPO is applied?
Yes. You can create a scheduled task that will trigger when a specific event occurs:
Powershell Edit Gpo
On an event
This trigger causes the task to run when specific event entries are added to an event log. You can choose between specifying basic event trigger settings or custom event trigger settings. If you choose the basic event trigger settings, a single event from a specific event log will trigger the task. You choose the event log that contains the event, the event publisher name, and specify the event identifier. Invalid self-extractor configuration. this file may be corrupted.
Source Triggers
The eventID you need for the trigger is probably 8006:
The Group Policy service reserves event IDs between 8000 and 8007 to indicate a particular type of Group Policy processing completed successfully.
Source Troubleshooting Group Policy Using Event Logs
DavidPostill♦DavidPostillIt appears that the Group Policy Management Editor, in Computer Configuration/Preferences/Control Panel Settings/Scheduled Tasks, it allows you to create an 'Immediate Task', specifically created for running things after a GPO refresh.
For computers that are running Windows Server® 2012 or Windows® 8, Immediate Task (At least Windows 7) preference items, ( Immediate Task (Windows Vista and later) preference items if running Windows Server® 2008 R2 or Windows® 7), allow you to create tasks to be run immediately and then removed each time Group Policy refreshes. Immediate Task preference items do not provide a selection of actions or triggers because they always create a task and then delete it after it has run.
The only gotcha was that I had to specify a valid user for it to run as ('NT AUTHORITYSYSTEM' in this case), and it worked exactly like I wanted.