Skip to main content

How to Enable / Disable a basic GPO Setting with PowerShell

PowerShell allows you to make changes to your Group Policy objects.  This is a good way to create an automatic response to changes in your network environment.   The script below will show you how to configure a basic GPO setting.
A Basic GPO setting has three possible states:
  • Not Configured
  • Enabled
  • Disabled

We are going to use the GPO setting of Automatically Publish new Printers in Active Directory as our test subject.  A GPO called GPO-Test was created to house this setting. 
Using the Group Policy Settings Reference from Microsoft, I located the registry key in question:
HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Auto Publishing
The value name is Auto Publishing.
When set to Enabled, the REG-DWORD is set to 0x00000001 (1)
When set to Disabled, the value is set to 0x00000000 (0)
When set to Not Configured, The value of Printers is not present in the registry.

This script is designed to show you how to achieve all three settings.  You can complete this task in just one command line.  Just take the code from one of the functions and plug in your values.  This code includes error checking in two areas that testing determined that an error could happen.

<#
===========================================================
Script Name: BasicGPOSettings.ps1
Author: Jason A. Yoder, MCT
Website: WWW.MCTExpert.com
Blogsite: WWW.MCTExpert.Blogspot.com
-----------------------------------------------------------
Script Purpose:
Demonstrate how to use PowerShell to change a basic
GPO Settings

-----------------------------------------------------------
Requirements:
- Must be ran on a Domain Controller or Windows 7 Client
  with RSAT installed.

- User must have the necessary permissions to modify
  the GPO.

-----------------------------------------------------------
Revision History:
Currently Version 1.0

-----------------------------------------------------------
Known Issues:
None.

-----------------------------------------------------------
#>
Set-StrictMode -version 2.0
# Variables:
# $GPOName: Holds the name of the Group Policy to be
# modified.
$GPOName = "GPO-Test"
# $ListKey : The registry key to be modified
$ListKey = "HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard"
# $ListValueName : TheValueName to be changed.
$ListValueName = "Auto Publishing"
# $Decision : Will record the users choice on when
# value to set in the GPO.
$Decision = 0
# $QuestionString : String to display the valid choices
# to the user.
$QuestionString = "Please select from the following: 'r
1) - Set the policy to `"Enable`" `r
2) - Set the policy to `"Disabled`" `r
3) - Set the policy to `"Not Configured`" `r
4) - Retrieve the current policy information`" `r
5) - Exit the script without making changes"

# =========================================================

# =========================================================
# Functions:

# Enable_Setting will set the GPO value to "Enabled"
Function Enable_Setting
    {
        Set-GPRegistryValue -Name $GPOName -Key $ListKey `
       -ValueName $ListValueName -Type DWORD -Value 1 
       Write-Host "The GPO value has been enabled."
    }
# Disable_Setting will set the GPO value to "Disabled"
Function Disable_Setting
    {
       
Set-GPRegistryValue -Name $GPOName -Key $ListKey `
       -ValueName $ListValueName -Type DWORD -Value 0  
        Write-Host "The GPO value has been disabled."
    }
   
# Get_Current_Value will display the current value for the GPO setting.
# Error handling is set should this value be set to "Not Configured."
# In a "Not Configured" state, the GPO value is not present and would
# otherwise error out.
Function Get_Current_Value
    {
        Try {Get-GPRegistryValue -Name $GPOName -Key `
        $ListKey -ErrorAction Stop}
        Catch { Write-Host "This GPO value is `"Not Configured`"."
                Write-Host "No data to return."}
    }
# NC_Setting will set the GPO value to "Disabled"
# Error handling is set should this value be set to "Not Configured."
# In a "Not Configured" state, the GPO value is not present and would
# otherwise error out.
Function NC_Setting
    {
        Write-Host "Setting the value to `"Not Configured`"."
        Try { Remove-GPRegistryValue -Name $GPOName -Key `
        $ListKey -ValueName $ListValueName -ErrorAction Stop}
        Catch { Write-Host "This GPO value is already set to `"Not Configured`"."}
    }
   
# == End of Functions : ===================================
# =========================================================
# Main Code:

# Announce the start of the script.
Clear-Host
Write-Host "=== Starting Script: BasicGPOSettings.ps1 ===" -foregroundcolor green

# Import the cmdlet needed for this operation from the
# GroupPolicy module
Import-Module GroupPolicy -cmdlet Set-GPRegistryValue, Remove-GPRegistryValue, Get-GPRegistryValue
# Display the users choices and record their decision in
# The variable $Decision.
$Decision = Read-Host ($QuestionString)
# Use the switch statement against $Decision to determine
# which function to execute.  Set the Switch statement to
# end on the first match. Set a DEFAULT value should the
# user select option 5 or provide an invalid input.
Switch ($Decision)
    {
        1 {Enable_Setting; Break}
        2 {Disable_Setting; Break}
        3 {NC_Setting; Break}
        4 {Get_Current_Value; Break}
        Default {"No Changes Made"; Break}
     }
    
# Announce the end of the script.
Write-Host "=== Ending Script: BasicGPOSettings.ps1 ===" -foregroundcolor green
# == End of Main Code =====================================

Comments

Popular posts from this blog

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.

How to run GPResult on a remote client with PowerShell

In the past, to run the GPResult command, you would need to either physically visit this client, have the user do it, or use and RDP connection.  In all cases, this will disrupt the user.  First, you need PowerShell remoting enabled on the target machine.  You can do this via Group Policy . Open PowerShell and type this command. Invoke-Command –ScriptBlock {GPResult /r} –ComputerName <ComputerName> Replace <ComputerName> with the name of the target.  Remember, the target needs to be online and accessible to you.

Error icon when creating a GPO Preference drive map

You may not have an error at all.  Take a look at the drive mapping below. The red triangle is what threw us off.  It is not an error.  It is simply a color representation of the Replace option of the Action field in the properties of the drive mappings. Create action This give you a green triangle. The Create action creates a new mapped drive for users. Replace Action The Replace action gives you a red triangle.  This action will delete and recreate mapped drives for users. The net result of the Replace action is to overwrite all existing settings associated with the mapped drive. If the drive mapping does not exist, then the Replace action creates a new drive mapping. Update Action The Update action will have a yellow triangle. Update will modify settings of an existing mapped drive for users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the ma...