Group Policy question...

[Bdw3]

Is there any quick way to change an ass load of Group Policies at once? :icon6:

[Tormentius]

Is there any quick way to change an ass load of Group Policies at once? :icon6:

Can you define that a little more?

[Bdw3]

Okay, One XP Pro computer with multiple policies enabled.

The occasion comes from time to time that these policies all need to be disabled for a bit and then enabled later on.

I’m basically looking for something to automate the process.

[Disruptor]

Okay, One XP Pro computer with multiple policies enabled.

The occasion comes from time to time that these policies all need to be disabled for a bit and then enabled later on.

I’m basically looking for something to automate the process.

Why not just block policy inheritance on the OU the machine account is in, then just revert it once you are done.

[Bdw3]

Like through Active Directory? :icon6:

Not an option, that's why I ask.

--intern trying to help out IST department.
Basically Lab computers have an ass load of policies set up on them. One computer is set up then ghosted to the rest. If something needs to be changed it's hell for the staff (*cough intern*). Why? Because of the ignorance/laziness/unwillingness of the IST director, who is basically exercising dictator like power over Active Directory, and doesn't want to spend the time to do it.

[Tormentius]

Sounds like fun. Use the Group Policy Management Console to administer and enable/disable the policies (its easy enough to use that he can probably even figure it out).

[R00k]

If you want to do it quickly, use an app like WinDiff, and monitor the registry changes that are made when you disable/enable the policy settings.

Then you can just make a *.reg file, that you can double-click on that will apply the policies, and one that will remove them.

[Tormentius]

If you want to do it quickly, use an app like WinDiff, and monitor the registry changes that are made when you disable/enable the policy settings.

Then you can just make a *.reg file, that you can double-click on that will apply the policies, and one that will remove them.

That would involve a lot of work though, especially across multiple workstations. The other drawback would be the fact a reg patch permanently tattoos the registry whereas GPOs do not. In the GPMC disabling a policy is as simple as right-clicking it and unchecking "Link Enabled". Within 90 mins of doing this all domain-connected workstations will refresh their policies and disable the appropriate entries.

Also, the GPMC can be used for creating policies, modelling them on a test domain, then exporting them to file where they can be imported in the target production domain. The caveat to this process is that security groups and UNC paths specified in the policy to be imported must be updated, but that doesn't take long at all in comparison to recreating a complex policy from scratch.

[R00k]

Oh, I didn't read his post correctly. I thought he said he only had one computer that needed the policy settings turned on/off at will, because sometimes they want to disable them on that machine.

I do that on my own PC here at work with a .reg file, which is why I recommended it.

But yes, if you're doing it across all those machines remotely, then using the GPMC would be the quickest and easiest way.

[Bdw3]

I asked for one computer because I pretty much have to treat them that way because we've no access to the OUs, or Active Directory.

Should have mentioned that is primarily for Local Policies.

Thanks though.

The immediate task has been completed. Now we work on the Director and getting her to let go of some of her power, to make stuff like this easier.

[R00k]

It sucks to work with control freaks.