Project Description

GPOPoker – A Poking Stick for Local Policy Changes

This tool allows you to change local GPO’s from a command line. All the fancy PowerShell bits can change polices too, but not local policies. So the way that local policies(and GPO’s) work is that they write their policy to a “policy” key, which is basically a registry key. The snag is that it’s not in the registry. What you see in the registry is just a copy, which allows apps and services to read settings easily. Most services read this info on service startup etc, to get basic settings.

So how do you change the setting for a service without using local gpedit? Ever tried just setting the local registry? Nothing happens right… welcome to our World, nothing is ever easy.

But doing a GPO setting, or as mentioned a local GPO change updates the setting for the service, and the registry key is updated? So what on Earth is going on?

Enter policy objects and providers. So basically the service is while running not listening to the registry change, as that would have to depend on io-expensive WMI registry providers. Also services are trying to protect themselves from users with local admin fiddling with the registry. So they hide it from them in pesky .pol files,  hidden away from sticky fingers.. So the GPO service keeps all of this together and links Domain GPO’s local GPO’s and local registry key changes.

So how hard can it be to automate this? well there was nothing out there doing it so we thought we would do a tool as we had to code the stuff anyhow.

Usage is simple, just provide the tool with the GPO’s registry path in registry and we instruct the gposvc to do the work for us. It won’t error if you do typos or try to set policies that don’t exist, so make sure you copy and paste to avoid typos. The tool runs in WinPE as well so it can be used during OSD as well which is always nice..

Needless to say, local polices are overwritten by domain policies “whenever da computah got nuttin else to do”, which is random. Also, we only do Machine GPO’s as there is no user logged on when we runs things mostly. If you need it, let us know!

If you want to use the cool MS toolset (which does more than we do) should head here:

If you want to read up more on the API’s, here is where you should go:

If you want to build your own, here is a pretty good starting ground:

So what can you do?

  • Set local policies before GPO policies are applied (OSD)
  • Trigger a change in the service internal settings as a one off
  • Tamper with things that are not wanted as domain policy
  • Trigger the policy change from task scheduler
  • Set the BITS policy download policy on the fly
  • The sky is the limit!

Start Poking - Get GPOPoker!