• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
Geeks123

Disable GPO Via Command Line

8 posts in this topic

I have a few locations that aren't large enough for a Domain Controller, but have each machine locked down via the Local GPO. We are trying to install A/V software via our agents, but it keeps failing because the system is so locked down. Is there a way to disable the Local GPO via the Command Line so we can do the install without it failing?

0

Share this post


Link to post
Share on other sites

The proper way would be to modify the gpo security to avoid its deployment on those computers. You can deny read rights in the delegate tabs for a computers group if the A/V is done using the computer part of the gpo.

The "other way" that i wouldn't try, would be remove those computers from domain (then reboot them), install your A/V, then read them to the domain.

0

Share this post


Link to post
Share on other sites

Allen2 - There is no Domain otherwise I could quickly do what I need to. Each of these systems is locked down with the Local Group Policy

0

Share this post


Link to post
Share on other sites

Then the proper way would be modify the local gpo to allow what you need. Most likely the used to deploy doesn't have enough rights or doesn't run with the right account.

0

Share this post


Link to post
Share on other sites

Allen2 - Correct. Now, I need to know how to do that via a script so I can automate the process without having to go out and touch 150+ machines across 7 locations

0

Share this post


Link to post
Share on other sites

Most gpo settings are reg entries, so you might which one is preventing the A/V to install and then set it before deploying.

0

Share this post


Link to post
Share on other sites

I tired looking for those registry entries, but some of the ones I needed couldn't be found anywhere - and I looked a million different ways. In the end, I found out that if I edited the gpt.ini file, I could disable the entire GPO and do what I need to.

0

Share this post


Link to post
Share on other sites

Sorry to get to this topic late. If depends how you want to disable the GPO, from the admin/technician workstation side, which means disabling the GPO for every object to the OU it is applied in, or taking down one troublesome computer.

We use link enabled GPO's, so this might be the clincher for you (and why you ought to use them). Check out this Technet document.

As for the other way around, well, you do the equivalent of something I would do. I disconnect the computer from the network. I then remove the +H attribute off the %WinDir%\System32\GroupPolicy folder. Then, I just rename the folder, then run gpupdate /force. This obviously is a nasty kludge, but I often in my career had to quickly determine if GP was causing a configuration problem, an admin with button-mashing, a user, or a combo. This was a quick way to tell if GP was a culprit when I exhausted options. Might work for you, might not, and it is certainly not selective.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.