[gptalk] Re: Ignoring local group policy

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 20 Feb 2007 11:59:29 -0800

Sorry for the delayed response on this. I actually tried to take advantage of 
the 3-day weekend :)

Anyway, it is possible to disable the local GPO. Actually, Vista ships with an 
Admin Template policy to do this but assuming you are not using Vista, you can 
do it, though its not altogether obvious. Basically you have to set a flag on 
the LGPO's GPT.INI file to accomplish this. I've created a vbscript that you 
could run as a startup script in GP to do this. You would have to run it as 
either a startup script or as an admin. because the file it writes to doesn't 
grant access to normal users.

Also, you might want to precede running this script by copying the gpt.ini file 
that is there to a backup file, just in case.

Here is the VBScript. I will also post it on my GPOGUY Tools site:

' VBScript Source File -- Created with SAPIEN Technologies PrimalScript 4.0
' NAME: disableLGPO.vbs
' AUTHOR: Darren Mar-Elia , SDM Software, Inc.
' DATE  : 2/20/2007
' COMMENT: This script disables the local GPO in pre-Vista systems
On Error Resume Next
Const ForReading = 1
Const ForWriting = 2
Set WshShell = WScript.CreateObject("WScript.Shell")
' get the current system folder
sysDir = WshShell.ExpandEnvironmentStrings("%WinDir%")
Set objFSO = CreateObject("Scripting.FileSystemObject")
If Err.Number <>0 Then
        WScript.Echo "Unable to create FileSystemObject"
End If
Set objFile = objFSO.OpenTextFile(sysDir+"\system32\grouppolicy\gpt.ini", 
If Err.Number <>0 Then
        WScript.Echo "Unable to open gpt.ini for reading"
End If
counter = 0
Do Until objFile.AtEndOfStream
    strLine = objFile.ReadLine
    If InStr(strLine,"Options=") > 0 Then
        strLine = "Options=3"
    End If
    strContents = strContents & strLine & VbCrLf
'if we didn't find options= in the file then append it
If counter =0 Then
End If


Set objFile = objFSO.OpenTextFile(sysDir+"\system32\grouppolicy\gpt.ini", 
If Err.Number <>0 Then
        WScript.Echo "Unable to open gpt.ini for writing"
End If
WScript.Echo "Local GPO Disabled Successfully"



-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jeremy Saunders
Sent: Monday, February 19, 2007 8:08 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Ignoring local group policy

I think you can modify NTFS permissions on it, which will prevent it from
applying to whom ever you don't want it to apply to.

 Kind regards,                                                  
 Jeremy Saunders                                                
 Senior Technical Specialist                                    
 Infrastructure Technology Services                             
 (ITS) & Cerulean                                               
 Global Technology Services (GTS)                               
 IBM Australia                                                  
 Level 1, 1060 Hay Street                                       
 West Perth� WA� 6005                                           
 Postal: PO Box 525, West Perth WA                              
 Visit us at                                                    
 P:� +61 8 9261 8412                F:� +61 8 9261 8486         
 P:� (Reception) +61 8 9261 8420    E-mail:                     
 M:� TBA                            jeremy.saunders@xxxxxxxxxxx 

             "Alan & Margaret"                                             
             .com.au>                                                   To 
             Sent by:                  <gptalk@xxxxxxxxxxxxx>              
             gptalk-bounce@fre                                          cc 
                                       [gptalk] Re: Ignoring local group   
             20/02/2007 05:31          policy                              
             Please respond to                                             

Hi Nathan,

I don�t believe there is a way in Group Policy to turn off Local Policy. If
there was, you could get interesting behavior if you used Local Group
Policy to disable Local Group Policy processing�.

However one way that you could achieve the desired result is to have a
script that runs that removes all of the settings. It is all held under
C:\WINDOWS\system32\GroupPolicy, so if your script was to replace that
structure with a �clean� structure it should have the desired effect.

If there was only a few machines, you should be able to just do it as a
once off.

Alan Cuthbertson

 Policy Management Software:-

ADM Template Editor:-

Policy Log Reporter(Free)

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nathan
Sent: Monday, 19 February 2007 9:48 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Ignoring local group policy


We have some PC's running XP that have some local policy settings

Is it possible using GP, to setup a computer to ignore local policy and
only apply GP?


mjY?gv)?zf??? ???????-~???+-????+a?{.n?+?????^J??y?_??]9? 

You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/

Other related posts: