How to access/Update Group Policy Objects using C sharp

Hi,

We are referring below link to access group policies programmatically using c sharp.

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/wmi_v2/class-library/gpo-class-microsoft-grouppolicy

This is sample code which we have written to access GPO Object. We are able to access the object successfully but not able to access the policies .

We are aiming to access the polices which comes under computer configuration and user configuration.

Specifically we want to update Account Policies ,Local Policies.

GPDomain _gpDomain = new GPDomain(); Gpo gpoTarget = _gpDomain.GetGpo(gpo.DisplayName); ComputerConfiguration computer = gpoTarget.Computer; PolicySettings policySettings = computer.Policy; PolicyRegistrySetting policyRegistrySetting = new PolicyRegistrySetting(); RegistryPolicy registryPolicy = policySettings.GetRegistry(false); //string report= gpoTarget.GenerateReport(ReportType.Xml); // Get the type of the PolicySettings object Type policySettingsType = policySettings.GetType(); Type policySettingsType1 = registryPolicy.GetType();

GPPermissionCollection gPPermissions= gpoTarget.GetSecurityInfo();

1 answer

Jiale Xue - MSFT 34,831 Reputation points Microsoft Vendor

2024-05-08T12:30:22.03+00:00
Hi @Thakur, Apurva [EMR/SYSS/PSS/PUNE] , Welcome to Microsoft Q&A,

You seem to be overlooking the critical steps of accessing and updating the policy. In your code, you have successfully obtained the GPO object and the computer configuration, but you need to further access the policy object under the computer configuration and update it. Likewise, you need to do the same to access policies under User Configuration. Try the following code:

GPDomain _gpDomain = new GPDomain(); GPO gpoTarget = _gpDomain.GetGPO(gpo.DisplayName); //Access policies under computer configuration PolicySettings computerPolicySettings = gpoTarget.Computer.Policy; //Access policies under user configuration PolicySettings userPolicySettings = gpoTarget.User.Policy; // Example of updating local policy RegistryPolicy computerRegistryPolicy = computerPolicySettings.GetRegistry(true); RegistryPolicy userRegistryPolicy = userPolicySettings.GetRegistry(true); // Add or update registry policy under computer configuration RegistryPolicySetting computerRegistryPolicySetting = new RegistryPolicySetting("PathToRegistryKey", "RegistryValueName", "RegistryValueData"); computerRegistryPolicy.Set(computerRegistryPolicySetting); // Add or update registry policy under user configuration RegistryPolicySetting userRegistryPolicySetting = new RegistryPolicySetting("PathToRegistryKey", "RegistryValueName", "RegistryValueData"); userRegistryPolicy.Set(userRegistryPolicySetting); // save Changes gpoTarget.Save(); // Generate report string report = gpoTarget.GenerateReport(ReportType.Xml); // Get permission information GPPermissionCollection gPPermissions = gpoTarget.GetSecurityInfo();

Best Regards,

Jiale

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Thakur, Apurva [EMR/SYSS/PSS/PUNE] 0 Reputation points

2024-05-09T03:55:48.3966667+00:00

Actually I want to change so many policies but how can I find each n every registry key?

Jiale Xue - MSFT 34,831 Reputation points Microsoft Vendor

2024-05-09T08:45:12.8466667+00:00

To find and change multiple registry keys, you need to know the paths to those keys. Unfortunately, there's no easy way to discover these paths programmatically. Typically, you'll need to refer to Group Policy documentation or the Group Policy Editor to find the registry paths associated with the policies you want to change.

Here's how you can find the registry paths associated with specific group policies:

Using Group Policy Editor (gpedit.msc):

Open Group Policy Editor by typing gpedit.msc in the Run dialog (Windows Key + R) and press Enter.

Navigate to the policy you want to change.

Once you've selected the policy, the associated registry path is displayed in the policy's properties.

Group Policy Reference Spreadsheet:

Microsoft provides a spreadsheet that lists all group policy settings and their associated registry keys. You can download it from the Microsoft website. Here is the link.

Thakur, Apurva [EMR/SYSS/PSS/PUNE] 0 Reputation points

2024-05-14T04:59:51.6533333+00:00

Hello thank you for the excel.

1)But i want to update the registries of Group policy object .Refer below Snapshot

As you can see in attached image .there is group policy object name "New Group Policy Object". I have to update this objects policy like password age, Complexity, length, Screen Saver Time. so how can I do this using code.

2)I have also gone through the excel which you shared but unfortunately this is for local group policy. and changing the registry is not reflecting ON GUI of local group policy but when I am changing from the GUI it is affecting in registry. Please refer below snapshot.

Refer below snapshot. here I have made changes in registry. restarted the device but still not reflecting on GUI of local group policy.

3)As you have mentioned in your excel that not registry key for password and account lockout policies. so how we can change these settings?

Jiale Xue - MSFT 34,831 Reputation points Microsoft Vendor

2024-05-14T09:20:01.89+00:00

Update the registry of the Group Policy Object

Based on your description, you want to update the password policy (password age, complexity, length) and screen saver time in the Group Policy Object. Here is a sample code that demonstrates how to update these policies:

GPDomain _gpDomain = new GPDomain(); GPO gpoTarget = _gpDomain.GetGPO("New Group Policy Object"); //Access policies under computer configuration PolicySettings computerPolicySettings = gpoTarget.Computer.Policy; //Access password policy PasswordPolicy computerPasswordPolicy = computerPolicySettings.GetPasswordPolicy(true); //Set password policy computerPasswordPolicy.MaximumPasswordAge = TimeSpan.FromDays(90); //The maximum password age is 90 days computerPasswordPolicy.MinimumPasswordLength = 8; // The minimum password length is 8 characters computerPasswordPolicy.PasswordComplexity = true; // Enable password complexity requirements //Access screensaver policy ScreenSaverPolicy screenSaverPolicy = computerPolicySettings.GetScreenSaverPolicy(true); // Set screen saver time in seconds screenSaverPolicy.ScreenSaverTimeout = TimeSpan.FromMinutes(15).TotalSeconds; // save Changes computerPolicySettings.Save(); // Generate report string report = gpoTarget.GenerateReport(ReportType.Xml); // Get permission information GPPermissionCollection gPPermissions = gpoTarget.GetSecurityInfo();

GUI for updating local group policy does not reflect registry changes

If you change values in the registry, but the GUI for Local Group Policy does not reflect those changes, this may be due to Group Policy caching. You can force a group policy update by following these steps:

Open a command prompt (run as administrator).

Run the following command in the command prompt:

gpupdate /force

This will force a refresh of the local group policy and apply the changes in the registry.

Change password and account lockout policy

For password and account lockout policies, you can use the following code to update them:

//Access policies under computer configuration PolicySettings computerPolicySettings = gpoTarget.Computer.Policy; //Access password and account lockout policy AccountLockoutPolicy accountLockoutPolicy = computerPolicySettings.GetAccountLockoutPolicy(true); //Set password and account lockout policies accountLockoutPolicy.AccountLockoutDuration = TimeSpan.FromMinutes(15); // Account lockout duration is 15 minutes accountLockoutPolicy.AccountLockoutThreshold = 3; //The account lockout threshold is 3 times accountLockoutPolicy.ResetLockoutCounterAfter = TimeSpan.FromMinutes(15); //Reset lock counter after 15 minutes // save Changes computerPolicySettings.Save();

This will update the password and account lockout policy. You can adjust the duration, threshold, and time to reset the lock counter as needed.

Thakur, Apurva [EMR/SYSS/PSS/PUNE] 0 Reputation points

2024-05-15T05:42:52.79+00:00

Hi,

Thank you for the code in response 1 but the namespace which I have used is "using Microsoft.GroupPolicy" and under this namespace no such functionality is available.

can you also share the namespace which you have used.?

and also for response 2 I am able to see the changes in registry when changed in GUI but making the changes in registry is not reflecting on GUI not using gpupdate /force command

Jiale Xue - MSFT 34,831 Reputation points Microsoft Vendor

2024-05-17T09:20:50.5133333+00:00

using System; using Microsoft.GroupPolicy; public class GpoExample { public static void Main(string[] args) { // Get domain and GPO objects GPDomain gpDomain = new GPDomain(); Gpo gpo = gpDomain.GetGpo("New Group Policy Object"); // Get computer configuration registry policy GpoRegistryPolicy computerPolicy = gpo.GetComputerRegistryPolicy(); // Example of setting password policy computerPolicy.SetRegistryStringValue(@"Software\Microsoft\Windows\CurrentVersion\Policies\System", "MaximumPasswordAge", "90"); computerPolicy.SetRegistryStringValue(@"Software\Microsoft\Windows\CurrentVersion\Policies\System", "MinimumPasswordLength", "8"); computerPolicy.SetRegistryStringValue(@"Software\Microsoft\Windows\CurrentVersion\Policies\System", "PasswordComplexity", "1"); //Set the screen saver time (example is 900 seconds, which is 15 minutes) computerPolicy.SetRegistryStringValue(@"Software\Policies\Microsoft\Windows\Control Panel\Desktop", "ScreenSaveTimeOut", "900"); // save Changes gpo.Save(); } }

Changes made in the registry will not be reflected on the GUI, which is normal, you need to modify the refresh speed of your GUI.
Sign in to comment

Share via

How to access/Update Group Policy Objects using C sharp

1 answer