GPOPoker – A Poking Stick for Local Policy Changes
So how do you change the setting for a service without using local gpedit? Ever tried just setting the local registry? Nothing happens right… welcome to our World, nothing is ever easy.
But doing a GPO setting, or as mentioned a local GPO change updates the setting for the service, and the registry key is updated? So what on Earth is going on?
Enter policy objects and providers. So basically the service is while running not listening to the registry change, as that would have to depend on io-expensive WMI registry providers. Also services are trying to protect themselves from users with local admin fiddling with the registry. So they hide it from them in pesky .pol files, hidden away from sticky fingers.. So the GPO service keeps all of this together and links Domain GPO’s local GPO’s and local registry key changes.
So how hard can it be to automate this? well there was nothing out there doing it so we thought we would do a tool as we had to code the stuff anyhow.
Usage is simple, just provide the tool with the GPO’s registry path in registry and we instruct the gposvc to do the work for us. It won’t error if you do typos or try to set policies that don’t exist, so make sure you copy and paste to avoid typos. The tool runs in WinPE as well so it can be used during OSD as well which is always nice..
Needless to say, local polices are overwritten by domain policies “whenever da computah got nuttin else to do”, which is random. Also, we only do Machine GPO’s as there is no user logged on when we runs things mostly. If you need it, let us know!
If you want to use the cool MS toolset (which does more than we do) should head here: http://blogs.technet.com/b/fdcc/archive/2008/05/07/lgpo-utilities.aspx
If you want to read up more on the API’s, here is where you should go: https://msdn.microsoft.com/en-us/library/aa374235.aspx
If you want to build your own, here is a pretty good starting ground: http://blogs.technet.com/b/fdcc/archive/2010/01/15/updated-lgpo-utility-sources.aspx
So what can you do?
- Set local policies before GPO policies are applied (OSD)
- Trigger a change in the service internal settings as a one off
- Tamper with things that are not wanted as domain policy
- Trigger the policy change from task scheduler
- Set the BITS policy download policy on the fly
- The sky is the limit!