Disable Local Group Policy User/Computer Configuration Settings

Question

Hello awesome people.
Someone asked me a question today, one I thought it was going to be an easy answer, but no.

I want a way to programmatically uncheck the checkboxes:
'Disable Computer Configuration Settings'
'Disable User Configuration Settings'
From the Local Computer Policy Properties.

I've looked around for PS modules and Windows native functions but couldn't pull it off.
Someone knows if there's a way?

Thank you in advance!!

226890-2022-08-01-16-35-05-window.png

Answer 1

There definitely might be a better way to do this, but here is what I was able to figure out simply...

Configuration for local group policy is stored in the following location:

C:\Windows\System32\GroupPolicy

If you go to that directory and open the gpt.ini file, you should see a line with "Options=" and then a value indicating the settings you are wanting to change.

0: Neither box is checked
1: Only Disable User Configuration is checked
2: Only Disable Computer Configuration is checked
3: Both are checked

I think by default both boxes are unchecked, and that line is not present. If modified, that .ini file should contain the options key with a value set. Here is a pretty simple script that would ensure both boxes are unchecked.

$gptIniFilePath = 'C:\Windows\System32\GroupPolicy\gpt.ini'  
$encoding = 'UTF8'  
$gptIniContent = Get-Content -Encoding $encoding -Path $gptIniFilePath  
foreach ($s in $gptIniContent) {  
    if($s.StartsWith("Options=")) {  
        $num = ($s -split "=")[1]   
        $val = [Convert]::ToInt32($num)  
        $newVal = 0  
        (Get-Content $gptIniFilePath) | ForEach-Object {$_ -replace "Options=$val","Options=$newVal" } |  
            Set-Content -Encoding $encoding $gptIniFilePath -Force  
    }  
}  

If you wanted to set them to anything other than unchecked, you would have to write a script that checks for the existence of that key in the .ini and add it if it isn't present.

Answer 2

In case someone needs, thanks to @Dave Woolsey , this is what I came up with.

[CmdletBinding()]  
param (  
    [Parameter(Mandatory)]  
    [string[]]$ComputerName,  
  
    [Parameter()]  
    [pscredential]$Credential  
)  
  
if ($Credential) { $credParam = @{ Credential = $Credential } }  
else { $credParam = @{ } }  
  
$count = 1  
$fail = @()  
foreach ($computer in $computerName) {  
    Invoke-Command -ComputerName $Computer @credParam -ScriptBlock {  
        if ($Using:Credential) { $innerCred = @{ Credential = $Using:Credential } }  
        else { $innerCred = @{ } }  
          
        [void](New-PSDrive -Name 'TempDrive' -PSProvider 'FileSystem' -Root 'C:\Windows\System32\GroupPolicy\' @innerCred)  
          
        $content = Get-Content -Path 'TempDrive:\gpt.ini' -Encoding 'UTF8' -ErrorAction 'SilentlyContinue'  
        if ($content -match 'Options=') {  
            try {  
                Set-Content -Path 'TempDrive:\gpt.ini' -Value ($content -replace 'Options=.', 'Options=0') -ErrorAction 'Stop'  
                Write-Host "Finished setting computer: '$env:COMPUTERNAME'. [$Using:count]" -ForegroundColor DarkGreen  
            }  
            catch { Write-Warning "Error setting the content for computer: '$env:COMPUTERNAME'. $($PSItem.Exception.Message) [$Using:count]"; $fail += [pscustomobject]@{ ComputerName = $env:COMPUTERNAME; Exception = $PSItem.Exception.Message } }  
        }  
        else {  
            Add-Content -Path 'TempDrive:\gpt.ini' -Value 'Options=0' -ErrorAction 'SilentlyContinue'  
            Write-Host "Finished setting computer: '$env:COMPUTERNAME'. [$Using:count]" -ForegroundColor DarkGreen  
        }  
  
        [void](Remove-PSDrive -Name 'TempDrive' -Force)  
    }  
    $count ++  
}