[Geeks123]

I have a few locations that aren't large enough for a Domain Controller, but have each machine locked down via the Local GPO. We are trying to install A/V software via our agents, but it keeps failing because the system is so locked down. Is there a way to disable the Local GPO via the Command Line so we can do the install without it failing?

[allen2]

The proper way would be to modify the gpo security to avoid its deployment on those computers. You can deny read rights in the delegate tabs for a computers group if the A/V is done using the computer part of the gpo.
The "other way" that i wouldn't try, would be remove those computers from domain (then reboot them), install your A/V, then read them to the domain.

[Geeks123]

Allen2 - There is no Domain otherwise I could quickly do what I need to. Each of these systems is locked down with the Local Group Policy

[allen2]

Then the proper way would be modify the local gpo to allow what you need. Most likely the used to deploy doesn't have enough rights or doesn't run with the right account.

[Geeks123]

Allen2 - Correct. Now, I need to know how to do that via a script so I can automate the process without having to go out and touch 150+ machines across 7 locations

[allen2]

Most gpo settings are reg entries, so you might which one is preventing the A/V to install and then set it before deploying.

[Geeks123]

I tired looking for those registry entries, but some of the ones I needed couldn't be found anywhere - and I looked a million different ways. In the end, I found out that if I edited the gpt.ini file, I could disable the entire GPO and do what I need to.

[alharaka]

Sorry to get to this topic late. If depends how you want to disable the GPO, from the admin/technician workstation side, which means disabling the GPO for every object to the OU it is applied in, or taking down one troublesome computer.

We use link enabled GPO's, so this might be the clincher for you (and why you ought to use them). Check out this Technet document.

As for the other way around, well, you do the equivalent of something I would do. I disconnect the computer from the network. I then remove the +H attribute off the %WinDir%\System32\GroupPolicy folder. Then, I just rename the folder, then run gpupdate /force. This obviously is a nasty kludge, but I often in my career had to quickly determine if GP was causing a configuration problem, an admin with button-mashing, a user, or a combo. This was a quick way to tell if GP was a culprit when I exhausted options. Might work for you, might not, and it is certainly not selective.