Local Computer Policy

jlpeppers · January 11, 2016, 7:25pm

I am trying to determine if there is a way to report on what are the settings of Computer Configuration settings and User Configuration settings when someone types gpedit.msc. Are those 2 settings disabled or enabled? This will also help determine if domain GPO’s are in effect. Does anyone have experience with this?

jgstew · January 11, 2016, 8:43pm

You can get and set local GPOs with BigFix using a utility from Microsoft, but I’m not sure if that is what you are looking for.

Examples:

Otherwise, I’d say you could look for the effect of the policies by examining the Policies registry keys.

What is your use case?

jlpeppers · January 11, 2016, 8:49pm

So we have desktop personnel when they are doing maintenance on desktops will go in and disable GPO’s on the machine to prevent them form doing certain tasks. Unfortunately, they are forgetting to enable the GPO’s once they have complete their work. We are just looking for a property to determine what is enabled and disabled.

jgstew · January 11, 2016, 8:50pm

Are these local GPOs they are disabling, or domain GPOs ?

vikki · January 12, 2016, 4:56am

Hi @jlpeppers and @jgstew

For disable local GPO I’m using our bigfix windows registry edit wizard and put the following value on it, maybe this will help you to achieve your task.

[Start] [Run] [Regedit]
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
[ In most cases, this registry key is not present and will need to be created ]
Modify/Create the Value Data Type(s) and Value Name(s) as detailed below.
Data Type: DWORD Value // Value Name: DisableGPO
Setting for Value Data: [0 = Default (Enabled) / 1 = Disabled]
Exit Registry and Reboot

jlpeppers · January 12, 2016, 12:18pm

Thanks Vikki, at this point I’m trying to determine what the settings are from the console so I can report on them.

jgstew · January 12, 2016, 8:59pm

You can use the LGPO_Utilities.zip to export the current LGPO settings to a file and then read that file using relevance.

If there are specific settings you know you want to check for, then you could look for their effect here: HKEY_LOCAL_MACHINE\SOFTWARE\Policies or in the registry location they affect.

jlpeppers · January 14, 2016, 6:17pm

I think I’m making progress… see below

;Disable Computer Configuration settings

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List\0]

"GPO-Disabled"=dword:00000001

;Disable User Configuration settings

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\***Your specific SID***\GPO-List\0]

"GPO-Disabled"=dword:00000001

So I’m able to report on the Computer Settings but the User Settings is a bit of a problem. It appears it is looking at a SID and I’m not sure how I would report on multiple values.

Here is what I have for Computer settings:

if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List\0" of native registry) and name of operating system contains "Win" then (exists value "GPO-Disabled" whose (it as string is "1" of it) of it of it) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List\0" of native registry else nothing

jgstew · January 14, 2016, 6:27pm

This will give you that value without the need for IF-THEN-ELSE:

values "GPO-Disabled" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List\0" of native registries

This will give you all of those that have it disabled:

not exists values "GPO-Disabled" whose(it as string as integer = 0) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List\0" of native registries

jgstew · January 14, 2016, 6:29pm

For the SIDs:

values "GPO-Disabled" of keys "GPO-List\0" of keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State" of native registries

jlpeppers · January 14, 2016, 6:47pm

I get the property ‘keys’ of string is not defined for the User settings

jgstew · January 14, 2016, 7:00pm

I had a misplaced of in there. I edited it above, so give it another try.

I’m also not certain the path is completely correct. I’m basing it the best I could off of what you provided.

jlpeppers · January 14, 2016, 7:14pm

What should be the expected result? My machine doesn’t return anything.

jlpeppers · January 14, 2016, 7:28pm

I see what happened. State was missing out of the path.

values "GPO-Disabled" of keys "GPO-List\0" of keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State" of native registries

jlpeppers · January 15, 2016, 1:47pm

BTW, I was using IF THEN ELSE to give me the true /false value of registry, instead of the 1 and 0.

if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State" of native registries) then (exists value "GPO-Disabled" whose (it as string is "1" of it) of it of it) of keys "GPO-List\0" of keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State" of native registries else nothing

jlpeppers · January 15, 2016, 6:53pm

For the user setting, since there are multiples, is there a way to change multiple values in the registry without knowing the exact path?

jgstew · January 18, 2016, 10:21pm

You still don’t need to use IF-THEN-ELSE. This will do exactly the same without that:

exists values "GPO-Disabled" whose(it as string as integer = 1) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List\0" of native registries

jgstew · January 18, 2016, 10:22pm

You can change multiple by having it reapply until there are no more to change, or you can create a BAT file to change it.