How to bypass PC reboot when applying group policies. Part 1

Why did I set out to bypass the timing of applying policies to local computers?

The usual interest is how to do this. As one commentator said – work for work's sake.

Why is all this necessary? I couldn’t answer this question for myself. But hunting is worse than captivity. I really wanted to find a solution.

By surfing the Internet, I began to collect various information on policies and the time of their application.

In the end I found everything I needed. I left what I needed and eliminated what I didn’t need.

Started experimenting with Windows 7.

I took the original image (not the assembly) as a basis. After installing clean Windows on a clean disk, I downloaded the necessary software for work, activated both Windows and Office. I registered the address, DNS server, and entered the machine into the domain. I created a trial user on the server and logged into the computer using this account.

I did everything at my workplace. And since, in addition to my working PC, three servers, I have 4 more replacement computers for users on different hardware (two PCs on socket 775, one on socket 1155 and one on socket 1151), then I could experiment with different OSes.

Then I started setting up the local machine.

After configuration, I rebooted the computer, logged in again as a trial user and sent a command from the server to apply the policy to the local computer. And as a result – a policy with a delay of 15 seconds. applied.

Why not immediately, but only 15 seconds after the GPO connected to the computer, I still don’t understand.

I applied the policy of blocking flash drives, since it was clear that when this policy was applied on the desktop, this flash drive immediately received private access,

those. The contents of the flash drive are no longer displayed, and when you try to open the flash drive, a window pops up saying there is no access.

Then I disconnect the connection of this policy with the user’s OU, once again give the command to execute the policy, and again after 15 seconds. the policy applied. The flash drive became readable and accessible again.

Once this GPO is applied, it means that the others will also be applied.

I went a little further. Again we blocked the USB ports, created another GPO – apply sleep mode after 10 minutes of machine inactivity, linked the GPO to this computer and again gave the command to execute the policy. I wait 10 minutes (well, maybe 11) and that’s it, the screen goes out, the machine goes to sleep. I check the computer, and the sleep options are already gray, i.e. The user now cannot change the sleep mode in any way.

Excellent result. I found almost what I wanted.

I delete these GPOs in group policies (without disabling them), reboot the computer again and, as a result, the flash drive is visible and sleep mode is not applied.

At this stage I could have calmed down, but that wasn’t enough for me.

I remove the machine from the domain, clean up the computer and prepare Windows for writing to ISO. I write the finished iso file onto a flash drive and begin installing this image.

Windows was installed along with the software that I had installed, I reactivate Windows and office, again I enter the computer into the domain and check the new application of policies, what was said above.

The result is the same – policies are applied after 15 seconds. Only one thing infuriates me – why not immediately, but after 15 seconds. Okay, I'll figure it out later.

I save the recorded iso to the cloud and go drink Hershey. You can't drink beer at work.

Then I decided to do the same with Windows 10. On hardware 1155. I downloaded Windows version 1809, because… it is considered the most nimble and stable. I haven't installed the update yet. I installed the software again, entered it into the domain again, applied the policies, and then I was disappointed. GPO was not intended to be used.

Installed the latest updates, add-ons, etc. Again, complete zero.

After reboot everything is fine. Politicians applied. But this is not my option. It turned out that with ten everything is not so simple.

OK. I took another computer with 1151 hardware, downloaded Windows version 22h2, did not install the software yet, and entered the machine into the domain. The result is zero. I also installed the latest updates, add-ons, etc. Another bummer. Not only that, but both dozens strangely do not want to see the SYSVOL and NETLOGON folders of the server.

I already wanted to give up this idea, but my inner self screamed that if you give up everything, then you are not a man. Surfing the Internet again.

Okay, in short, I figured it out and found the problems. I configured both tens, registered everything, and again entered both machines into the domain.

I give the command to execute the GPO. And happiness knows no bounds! The politicians did a great job. I reboot both machines. I'm applying the policies again. Everything works again. But on dozens of them, the delay in applying policies is already 1-2 seconds.

Then again full software, withdrawal from the domain, recording iso, installing new images, entering the domain and checking. Everything works. Just like in American films – we did it!

Izoshniki recorded in the cloud. Now I have 3 ready-made Windows. Seven and two tens, different versions.

Remember that in the previous article I wrote that I only apply policies on 3 machines? This is because I installed ready-made versions of Windows on these computers. Two tens and one seven.

I tested the harmless policy on users. Everything worked out great. I've stopped at this for now.

Well, how to prepare operating systems and the server to implement such policies is in the next part.

I'll try everything again on my spare computers and finally post the rest.

Thanks everyone and good luck!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *