Editing Local Group Policy via Automation
Posted by bapesta786@reddit | sysadmin | View on Reddit | 12 comments
I am building a gold image for VDI deployment, and part of our gold image setup involves setting a local group policy setting:
Local Computer Policy > Computer Configuration > Windows Settings > Scripts > Startup
Inside there, we specify a script and the parameter.
On a reference machine, I have created this setting, and used LGPO tool to export the local policy. As a test, I deleted the aforementioned setting and ran the LGPO tool again to import the previously exported settings, however the setting doesn't re-appear in local policy editor.
Am I doing something wrong? Can anyone suggest how I control this via automation?
anonymousITCoward@reddit
You can use powershell to set the corresponding registry entry. Some are easier to find than others...
But since you're building a golden image, shouldn't you set the policy before creating the image?
bapesta786@reddit (OP)
Yes i am trying to set the local group policy before finalising the gold image
anonymousITCoward@reddit
find the corresponding registry keys and set them there...
bapesta786@reddit (OP)
any idea how i can find the key? i have tried searching the registry while the setting is configured but I can't find it!
Lower_Fan@reddit
If you are cresting a golden image then you set it on the template vdi then every new vm will have the setting aplied. Unless for x or y reason you need to apply it after the image is created
bapesta786@reddit (OP)
I am trying to set it on the golden image.
picklednull@reddit
Did you check whether the setting is actually applied or not? I think funky things happen with the local policy and settings/changes are not always visible. It's the same if you just edit the registry keys the GPO's change (of course).
bapesta786@reddit (OP)
I actually didnt. Not sure how i would check without GUI?
picklednull@reddit
Depends on the policy - almost everything is just a registry key in the background... Startup scripts might be the one exception. But you could add a script that writes to e.g. C:\test.txt and see if it appears.
Ssakaa@reddit
I haven't used lgpo since early win7... and it was "fun" even then. I would start by applying on a cean setup to test, and verifying Whether registry and gpresult line up with the policy being applied.
BrechtMo@reddit
Just to make clear: using domain GPO is not an option?
bapesta786@reddit (OP)
Yes that is correct