Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Disable GPO Via Command Line

- - - - -

  • Please log in to reply
7 replies to this topic

#1
Geeks123

Geeks123
  • Member
  • 6 posts
  • Joined 24-March 09
I have a few locations that aren't large enough for a Domain Controller, but have each machine locked down via the Local GPO. We are trying to install A/V software via our agents, but it keeps failing because the system is so locked down. Is there a way to disable the Local GPO via the Command Line so we can do the install without it failing?


How to remove advertisement from MSFN

#2
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06
The proper way would be to modify the gpo security to avoid its deployment on those computers. You can deny read rights in the delegate tabs for a computers group if the A/V is done using the computer part of the gpo.
The "other way" that i wouldn't try, would be remove those computers from domain (then reboot them), install your A/V, then read them to the domain.

#3
Geeks123

Geeks123
  • Member
  • 6 posts
  • Joined 24-March 09
Allen2 - There is no Domain otherwise I could quickly do what I need to. Each of these systems is locked down with the Local Group Policy

#4
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06
Then the proper way would be modify the local gpo to allow what you need. Most likely the used to deploy doesn't have enough rights or doesn't run with the right account.

#5
Geeks123

Geeks123
  • Member
  • 6 posts
  • Joined 24-March 09
Allen2 - Correct. Now, I need to know how to do that via a script so I can automate the process without having to go out and touch 150+ machines across 7 locations

#6
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06
Most gpo settings are reg entries, so you might which one is preventing the A/V to install and then set it before deploying.

#7
Geeks123

Geeks123
  • Member
  • 6 posts
  • Joined 24-March 09
I tired looking for those registry entries, but some of the ones I needed couldn't be found anywhere - and I looked a million different ways. In the end, I found out that if I edited the gpt.ini file, I could disable the entire GPO and do what I need to.

#8
alharaka

alharaka
  • Member
  • 4 posts
  • Joined 08-June 11
  • OS:Windows 7 x86
  • Country: Country Flag
Sorry to get to this topic late. If depends how you want to disable the GPO, from the admin/technician workstation side, which means disabling the GPO for every object to the OU it is applied in, or taking down one troublesome computer.

We use link enabled GPO's, so this might be the clincher for you (and why you ought to use them). Check out this Technet document.

As for the other way around, well, you do the equivalent of something I would do. I disconnect the computer from the network. I then remove the +H attribute off the %WinDir%\System32\GroupPolicy folder. Then, I just rename the folder, then run gpupdate /force. This obviously is a nasty kludge, but I often in my career had to quickly determine if GP was causing a configuration problem, an admin with button-mashing, a user, or a combo. This was a quick way to tell if GP was a culprit when I exhausted options. Might work for you, might not, and it is certainly not selective.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users