disable - local security policy

This topic contains 6 replies, has 2 voices, and was last updated by Profile photo of GoogleUser21 GoogleUser21 1 year, 9 months ago.

  • Author
    Posts
  • #24046
    Profile photo of GoogleUser21
    GoogleUser21
    Participant

    scenario – for certain reasons I have about 30 machines on a workgroup...once a month I have to go to each workstation and uncheck the below items.

    go to local computer Policy > Right Click > uncheck disable computer configuration settings and also uncheck disable user configuration settings.

    issue:
    I don't see the option to uncheck these items with something like the below using secedit.

    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("xxxt = 1", "xxx = 0") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false

    any guidance would be greatly appreciated.

    even if its just a registry value it would be great to know where these values are stored.

    Much thanks to everyone on this great board!

  • #24058
    Profile photo of Daniel Krebs
    Daniel Krebs
    Participant

    Try to change the Options value in C:\Windows\System32\GroupPolicy\gpt.ini to 0 and reboot at least once to check if it sticks.

    [attachment file="gpt.PNG"]

  • #24070
    Profile photo of GoogleUser21
    GoogleUser21
    Participant

    Daniel,

    I know how to change values with powershell within the registry. Is there a way to change with value within an .ini file?

    I notice the gpt.ini file has other values so I'd like to only change the option to 0 instead of replacing the entire file.

    Your helping IS VERY VERY much appreciated!

    Thanks Daniel!

  • #24169
    Profile photo of Daniel Krebs
    Daniel Krebs
    Participant

    Sorry to the delayed reply. The following short script updates the INI file but only changes the Options line.

    Param (
    
        $FilePath = 'C:\Windows\System32\GroupPolicy\gpt.ini',
        $OptionsValue = 0
    )
    
    $Content = @(Get-Content -Path $FilePath)
    for ($i = 0; $i -lt $Content.Count; $i++) {
    
        if ($Content[$i].StartsWith('Options=') -and $Content[$i] -ne "Options=$OptionValue") {
    
            $Content[$i] = "Options=$OptionsValue"
        }
    }
    $Content | Out-File -Encoding ascii -FilePath $FilePath
    
  • #24211
    Profile photo of GoogleUser21
    GoogleUser21
    Participant

    Daniel

    I created the above script and the file isn't updated.

    Note – I'm not getting any errors either. Do you have any advise?

    Thanks so much !

  • #24228
    Profile photo of GoogleUser21
    GoogleUser21
    Participant

    Daniel I figured it out.

    the values are case sensitive. for options, within the ini file the O is upper case. Much thanks Daniel.

    It would be nice to add some type of output to ensure that the value was successfully change. Any ideas on that?

  • #24229
    Profile photo of GoogleUser21
    GoogleUser21
    Participant

    I just noticed that I can use a foreach statement to run this against multiple workstations, can anyone help me out on this one?

You must be logged in to reply to this topic.