I'm trying to make it easy to add a LogOff script to Group Policy and am having difficulty finding any information on adding Group Policy via script.
I already have the script I want to run at Logoff, I know how to run scripts via Group Policy. I want to know if Group Policy itself can be managed by script.
I do not have access to modify group policy for the domain or even for my OU, however, I can add entries to the local computer policy.
I've tried isolating registry entries created and changed when adding a Group Policy script, but quickly found this to be prohibitive in its difficulty and complexity. Maybe I read the comparison wrong, but there seemed to be quite a bit changed in just one Group Policy change.
So I've fallen back to scripting. Using either VBScript or Batch, can I add an entry to Local Computer Policy\User Configuration\Scripts\Logoff using a script?
UPDATE: Any tips on how to better isolate registry changes made during GP change would be appreciated if this the only (or best) way to go.
There is no API that I'm aware of to make automated changes to the local Group Policy Object on Windows XP (called "Local Group Policy" in newer versions of Windows).
I've had some success manually copying the contents of the %SystemRoot%\System32\GroupPolicy folder between machines. As long as you don't have machine-specific entries there (referencing the machine SID) this should be possible. That won't be in any way "supported" by Microsoft, though, and if it breaks you get to keep the pieces.
Here's an example of a script that modifies local group policy that you might want to look at, too. It's not using any "supported" APIs-- it's just banging on the GPT.INI file. This may work but is definitely "unsupported", too.
Based on your comment to @Zoredache I think you're better off manually doing this to a few computers rather than trying to script it to a bunch of computers. You're going to end up making the person or department who handles Domain Group Policy very unhappy if they have to undo a bunch of local changes on client computers (which are just as difficult to undo as they are to make in the first place).
I am the person who wrote the script referenced in you answer and just wanted to clarify that although it was suggested that it's unsupported, and "just banging on the GPT.INI file", it does exactly what a manual change does. You can prove this by simply making the change manually, and tracking through what it does. There are also a lot of notes in the script from the research I did at the time.
Alternatively, look at deploying the "LocalGPO" command line tool that comes with the new Microsoft Security Compliance Manager v2: http://blogs.technet.com/b/secguide/archive/2011/06/27/scm-v2-beta-new-baselines-available-to-download.aspx http://www.grouppolicy.biz/2011/03/introducing-microsoft-security-compliance-manager-v2/
Hope that helps.
Cheers, Jeremy.