Windows Group Policy is a powerful tool that enables administrators to manage and configure settings for users and computers in a network environment. PowerShell, on the other hand, is a command-line shell and scripting language that is built on the .NET framework. By using PowerShell, administrators can interact with Windows Group Policy and automate common tasks.
In this post, we will explore how to interact with Windows Group Policy via PowerShell. We will cover the basics of creating, modifying, and deleting Group Policy Objects (GPOs), and configuring Group Policy settings.
Please note that some of the code samples below are kind of long, so watch out for line wrap.
Getting Started
Before we dive into the details, we need to make sure that we have the necessary tools installed. First, we need to ensure that we have the Windows Remote Management (WinRM) service enabled on the client and server machines. This service enables PowerShell to communicate with remote machines. To enable the WinRM service, open an elevated PowerShell window and run the following command:
Enable-PSRemoting -Force
Next, we need to install the Group Policy PowerShell module. This module provides cmdlets that allow us to create, modify, and delete GPOs, and configure Group Policy settings. To install the Group Policy PowerShell module, run the following command:
Install-WindowsFeature -Name RSAT-Group-Policy-Management-Tools
Creating a Group Policy Object
To create a new GPO, we use the New-GPO cmdlet. The following example shows how to create a new GPO named “Test GPO”:
New-GPO -Name "Test GPO"
Modifying a Group Policy Object
To modify an existing GPO, we use the Set-GPRegistryValue cmdlet. This cmdlet allows us to set a registry value in the GPO. The following example shows how to set the registry value “DisableLockScreen” to “1” in the “Test GPO”:
Set-GPRegistryValue -Name "Test GPO" -Key "HKLM\Software\Policies\Microsoft\Windows\Personalization" -ValueName "DisableLockScreen" -Value "1"
Deleting a Group Policy Object
To delete a GPO, we use the Remove-GPO cmdlet. The following example shows how to delete the “Test GPO”:
Remove-GPO -Name "Test GPO"
Configuring Group Policy Settings
To configure Group Policy settings, we use the Set-GPRegistryValue cmdlet. This cmdlet allows us to set registry values for various Group Policy settings. The following example shows how to set the “Turn off the display (plugged in)” setting to “15 minutes” in the “Default Domain Policy”:
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKCU\Control Panel\PowerCfg" -ValueName "DCSettingIndex" -Value "1"
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKCU\Control Panel\PowerCfg\PowerPolicies\{7516b95f-f776-4464-8c53-06167f40cc99}\0ca3bfe9-505c-4660-80ea-6c8b69f00c80" -ValueName "ACSettingIndex" -Value "1"
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKCU\Control Panel\PowerCfg\PowerPolicies\{7516b95f-f776-4464-8c53-06167f40cc99}\0ca3bfe9-505c-4660-80ea-6c8b69f00c80" -ValueName "DCSetting