It's possible, yes.
Not really advisable, because the supported and recommended way to do this is through the gpedit.msc
tool (or GPOs on a domain). As a result, doing it with a script is semi-documented at best, and you do run into some oddities trying.
If you're still determined to try, theses settings are really just registry keys. If can figure out which keys are changed, it's trivial to script something up to import all those registry keys and end up with the desired configuration. I'd just use a batch file, honestly.
The problem you'll run into, however, is that these changes need to be saved to %SYSTEM ROOT%\System32\GroupPolicy\User\Registry.pol
to be enforced as local group policy, and I don't know of a good scripted solution to that, so the common workaround is to set this up the way you want on a second machine, and copy the %SYSTEM ROOT%\System32\GroupPolicy\User
folder and files to your target machines.
I personally find the whole thing to be such a pain that I'd rather set up a small domain than go through that process to apply automate applying local group policy.
It's because you have Computer Settings Disabled
configured. Try changing that dropdown to just plain Enabled
and try that.
With that said, you're configuring both Computer Policies and User Policies in one GPO. Technically, there's nothing wrong with this but it is considered bad practice and makes troubleshooting difficult.
It also makes a mess of your security filtering. For example, in your instance, having the computers listed makes no difference whatsoever because you have Authenticated Users
listed.
I'd suggesting splitting your policies into two - one containing all of the Computer Configuration
items and one containing all of the User Configuration
items. If you want both sets of GPO's to apply to all computers in that OU (And therefore all users that logon to them) then just leave both sets of Security Filtering to Authenticated Users
. (Though bear in mind it'll apply to administrators, too)
Best Answer
As you can see in the Group Policy Settings Reference Guide (see your 1st link; in particular,
Windows10andWindowsServer2016PolicySettings.xlsx
document), most of security settings (e.g. User Rights, Password Policy, Audit Policy etc.) are not registry keys. Those are stored in theSecedit.sdb
database.For your task, you can use Microsoft's
secedit
command line tool (at least, export and import):Answer: Look for the below keys/entries under
[Privilege Rights]
section in the exported configuration file (you can add/change them easy using Powershell):SeLockMemoryPrivilege
Lock pages in memorySeManageVolumePrivilege
Perform volume maintenance tasksRead (and follow) Windows Security Baselines as well: