Script Help To Edit Group Policy On 100+ Pc's

[mminisee]

Well I have been asked to complete another daunting task, update the local group policy on 100+ machines in two seperate remote offices. We are working to move to AD in the coming year but until then things are still the old way.

AutoIt has to be able to help me with this, it's been so good at so many other things, I just have never made one to do any changes like this and am not sure where to start at all.

I need a script that can be run from an Admin priveleged account and have it execute the gpedit.msc command to access the Group Policy control panel and then make a couple of changes in there (below);

1. Disable changing home page settings (User Configuration\Administrative Templates\Windows Components\Internet Explorer) - Enable

2. Specify home page (User Configuration\Windows Settings\Internet Explorer Maintenence\URLs\Important URLs) - http://www.xxxxxxxxxx.com/corporate/gateway

3. Specify and disable changing wallpaper (User Configuration\Administrative Templates\Desktop\Active Desktop) Prohibit Changes - Enabled / Active Desktop Wallpaper - Enabled, Specified - C:\winnt\company.bmp, Stretch / Allow Only Bitmapped Wallpaper - Enabled

4. Activate the screensaver policy - (User Configuration\Administrative Templates\Control Panel\Display) - Actiivate Screen Saver - Enabled

Specify the screensaver (User Configuration\Administrative Templates\Control Panel\Display) - Screen saver executable name - Enabled / c:\winnt\system32\logon.scr

5. Password protect the screensaver (User Configuration\Administrative Templates\Desktop\) Password Protect Screensaver - Enabled

6. Automatically start screensaver and lock the PC after idle time - (User Configuration\Administrative Templates\Control Panel\Display) - Screen Saver timeout - Enabled

Assistance is much appreciated, and if anyone already has scripts for Admins like this, please let me know I would appreciate any other samples available.

Thank you,

Mike

[GrahamS]

OK, I'm not an expert but how about the following:

run(@comspec & " /c gpedit.msc")
WinWaitActive("Group Policy")
send("{down 8}{right}")
sleep(1000)
send("{down}{right}")
sleep(1000)
send("{down 2}{tab}")
sleep(1000)
send("{down 11}")
sleep(1000)
send("!ar")
WinWaitActive("Disable changing home page settings Properties")
send("!e")
ControlClick("Disable changing home page settings Properties", "", "Button6" )

That's done number one, the others can be done in a similar manner.

I have reservations about this script. I'm not overjoyed with using the hard coded number - if your policies are not in the same order then the {down 11{ will not be correct.

What you could do is after the tab, do a send("^{END}"), open the properties tab with the send("!e"), wait for the properties window to open (possibly using a WinTitleMatchMode option of 2 (substring) against "Properties"). Then you can check the window name against the exact title that you want. If it is not want you want then use the Previous Policy, using send("!p"), repeatedly to work your way through the windows. Ugly but would work

Edited March 1, 2004 by GrahamS

[Guest normano]

You can make the changes by writing directly to the registry, this is what the Group Policy editor does anyway. Here is a short code sample using AutoIt:

; -------------------------------

; Sets the Home Page to www.mammals.org

RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main", "Start Page", "REG_SZ", "http://www.mammals.org/")

; Disables Home Page changes

RegWrite("HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel", "HomePage", "REG_DWORD", 1)

; -------------------------------

The only catch to this is that it applies the settings for the current user not system wide. You would need to run this for every user that logs on to the computer, which is really easy (put it in the All Users\Startup folder).

If you want to do the registry method, and you need more of the registry keys let me know, and I will try to get them to you.

One more option is if you are running ActiveDirectory you can set your policies up as part of the domain policy instead of the local computer policy, and it would apply itself to all accounts.

[Guest lotus]

hi,

first run gpedit.msc, & configure the necessary policies on a test system.

then copy the folder from the test system to the target system.

XP, please use

1. c:\windows\system32\grouppolicy

and also run the following command for immediate update

2. gpupdate /force

2K, please use

1. c:\winnt\system32\grouppolicy

2. secedit /refreshpolicy machine_policy

3. secedit /refreshpolicy user_policy

if this needs to be rolled out on 100+ systems, then write a script which can do the above & execute the script on remote systems using SYSINTERNALS PSEXEC freeware. here is the sample script for it.

PLEASE SUBSTITUE

xxx - admin privileged account

yyy - domain

zzz - account password

$PATH - the grouppolicy of the test system needs to be placed in read-only shared drive.

XP script

======

RUNASSET("xxx","yyy","zzz")

$CMD="XCOPY " & $PATH & " C:\WINDOWS\SYSTEM32 /E/V/Y"

RUNWAIT($CMD,@TempDir)

RUNASSET()

RUNWAIT("GPUPDATE /FORCE",@TempDir)

2K script

======

RUNASSET("xxx","yyy","zzz")

$CMD="XCOPY " & $PATH & " C:\WINNT\SYSTEM32 /E/V/Y"

RUNWAIT($CMD,@TempDir)

RUNASSET()

RUNWAIT("SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE",@TempDir)

RUNWAIT("SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE",@TempDir)

Edited March 3, 2004 by lotus

[mminisee]

Thank you to all for your replies, I will most likely go with the suggestion Lotus gave, thank you Lotus!!