Group Policy Hope on Home Editions of Windows

Topic

New Reply

Policy Plus brings Group Policy to all Windows editions
By Martin Brinkmann | July 25, 2017

 
Policy Plus is a free open source program for Microsoft Windows that introduces Group Policy access on all editions of the Windows operating system.

Microsoft limits access to the Group Policy to professional and Enterprise editions of Windows. This means that Home edition users, for instance those running Windows 10 Home or Windows 7 Home Premium, cannot use the Group Policy for administrative tasks.
…
Policy Plus supports several other nice to have features such as lists of technical information about objects, and options to export and import policy settings.

Policy Plus is an excellent program for Windows Home edition users who want access to the Group Policy, or more precisely, to policies that are applied using the Windows Registry.

 
Read Martin’s full write-up on ghacks.net

On Github: Policy Plus – Local Group Policy Editor plus more, for all Windows editions.
N.B. Note that Policy Plus is still pre-release software, so there may be bugs; please submit any problems to the issue tracker.

4 users thanked author for this post.

AlexEiffel, HiFlyer, MrBrian, Elly

Reply | Quote

Replies

I actually was playing with local group policies on an independent station outside of domain and have questions, as finding good information on this subject is very difficult on the web. I hope someone here can shed some light and help my comprehension.

Ok, so from what I understand, most local policies are stored in the registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
or the equivalent with HKEY_CURRENT_USER instead of HKEY_LOCAL_MACHINE.
Some (security) are in a .inf file, but they are of limited interest to this discussion.

When you look at which registry values are modified using procmon when paying with gpedit, there seems to be a temporary place in the registry where it gets written when you play with gpedit, but using a little intuition, you can deduct quite easily the real registry place where it goes, removing the part that is some GUID identifier and adjusting. So, I could easily find lots of registry values that represents a certain policy and create a huge registry file to push all those on another PC. Good for quick tweaking a new install or after a feature update if you think some might have been altered. So far, it seems pretty simple: gpedit is a front-end to modify the policies stored in the registry while providing input validation and explanations. Great.

However, I also read that local policies are stored outside the registry in
%SystemRoot%\System32\GroupPolicy\Machine or User or GroupPolicyUsers

Using the lgpo tool from Microsoft to export and import local policies, you work with those Machine, User or GroupPolicyUsers folders, not the registry directly. It seems like just working with the registry isn’t enough and looks more like the registry values are a result of the application of the settings stored in those folders than anything. So what happens on a standalone workstation when there is no domain and all kind of GP propagation and hierarchy of GPs? Windows reads those folders when it starts and it applies what it finds to the registry under the policies keys then uses those registry keys when it needs to interrogate the policy status?

What happens if I create a registry file that simply put some settings there in the registry? It seems to work, even on Windows home that doesn’t support group policy editing. However, what will happen if I set a registry value using a registry file that is different than the current configuration stored in the Machine or other folders? Will what is in the machine folder take precedence over the same setting with a different value I pushed with the registry file and will be read on the next reboot to replace the value I just put in the registry?

For example, if I pushed a setting using a registry file while never having opened the gpedit tool, it will work. However, if I used the gpedit tool previously to set a value to false and I push a registry modification using a .reg file to set it to true, will it stick?

The other question I have is related to when you want to push some current_user settings for a standard user with no admin rights. If I elevate to admin prompt before importing the registry file, will it apply to the current standard user or the admin user? If I use lgpo instead, will it exhibit the same behavior?

Thanks

Reply | Quote

Why gpedit and the corresponding registry entries are not synchronized?

1 user thanked author for this post.

AlexEiffel

Reply | Quote

All that matters is in the registry in the locations already mentioned by you.
The settings in the folders are for the gpedit reference.
Without trigerring gpedit, those .pol files are never read.
This means that in practice, by understanding the locations and configuration in the registry, there is no need for gpedit and this is how some configuration is done on editions which officially do not support Group Policy.
This is how AD GP works as well, by overwriting the registry locations with settings pushed from the sysvol replicated folder and settings.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Thanks to you and MrBrian.

However, you both say different things.

According to MrBrian link, “Local group policy settings (which is what I believe you are referring to in your post) are stored in registry.pol files located in C:\Windows\system32\GroupPolicy. These files overwrite the corresponding keys in the registry every time the system performs a group policy refresh. The editor never actually reads the registry to see what settings it contains.”

So that means they would be read regularly and overwrite any manually set registry entry if configured (and leave them alone if not, I guess). Doing a gpupdate /force would read those files and adjust the registry. Am I right? At least on Pro Edition? On home edition, maybe those folders would be completely ignored but setting manually the policies in the registry would work, thus your comment would have applied perfectly to home edition?

Why can’t it be explained simply somewhere on the web in a small technical document?

Now, does anyone has an answer for my question at the last paragraph?

Thanks all.

 

 

Reply | Quote

Both answers are right, as far as I know. For enforcement of local group policies, Windows uses what’s stored in the registry. But because the local group policy editor doesn’t read what’s stored in the registry, the two can be out of sync.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Wow, that is terrible!

And the link provided repeats my experience about not having any easy to find documentation on the subject online. It should not be hard to have a succinct explanation about that so people don’t break their setup thinking they do one thing and it does another…

So I guess I will have to resort to own experimentation when I have time and report the results.

Thanks though, it really helps me point in the right direction for testing all this.

1 user thanked author for this post.

MrBrian

Reply | Quote

You’re welcome :).

Perhaps Policy Analyzer could be useful to you. (I haven’t tried it.)

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Imagine buying a very complex appliance with no instruction manual, not even a downloadable one. Even when Windows was much simpler, it never understood why you can’t go to a Microsoft web site where there is clear documentation about the product features.

A big name that comes to mind is Cisco. Their small ASA firewall comes with a documentation that is more than 3000 pages and they update it online all the time. The only problem with it is the “clear” part is omitted. If would almost suggest they keep it purposefully incomplete and obscure, just giving enough detail to say they did, so that you either pay for their classes or hire consultants. I learned a lot of it by myself and it took me much much longer than I expected to end up being able to do a lot of things that are not very hard to do when you know how. When you see how competent their support employees are, there is a big disconnect between the artificial learning curve and their high level of proficiency.

Reply | Quote

Gpedit.msc and the registry

1 user thanked author for this post.

AlexEiffel

Reply | Quote

We may both be right in fact.
If the entries in registry.pol files are “Not configured”, then the registry entries are not overwritten, as there is nothing with which to overwrite. I think registry.pol under User does not exist by default until an entry in gpedit is created and this would be another option to make sure nothing gets overwritten, i.e. deleting the registry.pol files under User and Machine.
If the entries in registry.pol files are configured, then they may overwrite in certain conditions, like when running gpupdate /force, but I don’t know if this command has any effect locally.
I am not so much concerned with unsupported configurations as I see them “surrogate” systems administration which is out of scope for my purpose. I may do my own experimenting behind the scenes for the understanding of the issues involved, but I would certainly not advice unsuspecting end-users to use those configurations which would make their systems even more unreliable. Those who have enough understanding of this stuff and how to control it properly, do not use Home Editions.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Thanks, ch100. It seems to confirm the behavior I suspected too.

You need to realize people like me don’t want to run home, but they help a lot of people who do because that is what came with their PC and they are not interested in giving more money to a company that they feel is already making them angry for not the most noble reasons.

Having an almost automatically deployed set of settings that could be preserved during feature upgrades is a huge bonus to save time and aggravation, so it is important for me to find such tools if they exist. Maybe it can be a registry.pol dropped directly in a home edition folder, maybe an import using lgpo, maybe just a direct push of registry settings that won’t get overwritten because there won’t be any registry.pol file on home edition. I prefer to just use what is already available on Windows as I find that it brings less risk to create issues than a third party app that might not follow that closely Windows development and might skip an update when needed. Because Microsoft doesn’t officially support something or don’t want people to use it to much, that doesn’t mean it doesn’t work or that it won’t in the future. I often didn’t follow Microsoft recommendations when I thought they just said that for the wrong reasons (not get calls from angry customers who run old software I don’t run, for example) and sometimes not following Microsoft recommendation saved my day as when 32 bits versions of Office had synchronization issues with Iphones but the 64 bits version where fine. However, I agree with you that it is often not a good idea to go against recommendation because it can create issues, especially if Microsoft decides to do something about it because it becomes bad for them that people do a certain thing.

Despite that, during my long career using Windows, I found a good number of times that tinkering a bit like this can provide a lot of positive for a very manageable risk in my case. And finally, like you, I am not a fan either of third-party tools that does unsupported things or that are simply from a source we don’t know much about and I try to avoid them, but sometimes, this is the best compromise you have, just like I really tried hard to not run Classic Shell on Windows 10, but the Windows search behavior bug is so bad since AU that I just can’t or else risk loosing my sanity facing frustration a hundred times a day. Then, one needs to try to make a good judgment by looking at cues that development is very active, reputation is high and other factors, but it can only be an imperfect exercise at best.

Reply | Quote

Group Policy Editor is a very useful, and easy-to-use tool for allowing or prohibiting various activity by a user in Windows. And it is far safer than doing direct editing of the registry.

I have always been disappointed that Group Policy Editor has not been available in the lower editions of Windows (e.g. Home).

Now we have a Group Policy editor for the lower editions of Windows. This is fantastic news.

If you have never used Group Policy Editor, you should try it. It will very quickly become one of your favorite tools.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

1 user thanked author for this post.

Elly

Reply | Quote