Set a registry key value from the command line using Group Policy PowerShell cmdlets

The scene: You want to set a registry key of a 3rd party application but you don’t want to write a custom ADMX file just to be able to configure it. Or you have some registry keys you set in logon scripts and you want to use the update interval of Group Policy to make sure that value sticks. Or you want to set 50 registry keys and you don’t want to do it all manually. Any of these scenarios lead to using the set-GPRegistryValue PowerShell cmdlet that ships as part of the Windows Server 2008 R2 GPMC. Here’s the step by step:

How To: Configure a registry key value in a GPO from the PowerShell commandline

1. Open the PowerShell prompt

There are 2 options for this. The standard PowerShell prompt and the shortcut to the Active Directory Provider.

The PowerShell prompt needs to opened with elevated permissions in order to run any of the cmdlets, just as it requires administrative privilege to do any administration of GPO’s through the GPMC. 

The shortcut to the Active Directory provider is located in the Start Menu, or just search for “Active Directory” from the Run prompt.

2. Import-module grouppolicy –verbose [note: this may be “add-module” in the beta build]

-Verbose allows you to see all of the available GP cmdlets that are available.  You can also get this list via the get-command cmdlet:

Get-command * -GP*

These 25 cmdlets are available on any machine with the Windows Server 2008 R2 GPMC (that includes Windows 7 client machine with the GPMC installed through RSAT). (If this errors, you probably have not added Group Policy as a feature on your server, or you have not installed the GPMC on your client machine). If you don’t want the full printout, just drop the –verbose flag. This import-module line must be present at the start of any PowerShell script using the GP cmdlets and the start of any PowerShell console session. It is not automatically loaded.

3. Set a registry key value using the Group Policy set-GPRegistryValue cmdlet

Here it is, now let’s walk through it

Set-GPRegistryValue -Name <name of gpo> –Key “HKEY_CURRENT_USERSoftwareAdobeAcrobat Reader8.0InstallPath” -ValueName "(Default)" -Value "C:ProgramFiles(x86)AdobeReader8.0Reader" -Type String

To reference the help for this cmdlet, say : get-help set-GPRegistryValue, or set-GPRegistryValue -? . This will help you understand what is required, what each of the parameters is expecting, and what you are doing.

First up, refer to the GPO by its display name or its GUID with the appropriate parameter (-Name or –GUID).

Set-GPRegistryValue -Name <name of gpo> –Key “HKEY_CURRENT_USERSoftwareAdobeAcrobat Reader8.0InstallPath” -ValueName "(Default)" -Value "C:ProgramFiles(x86)AdobeReader8.0Reader" -Type String

The rest of the parameters correspond to the fields of regedit.

Key refers to the key name (right-click on the node in the left-hand panel of regedit and select “copy key name”)

ValueName refers to “Name” (first column in the right-hand panel). This is the name of the value you are setting (get it? Value Name = name of the value). If you are setting the (Default) value, this name is either “” or “(Default)”  case insensitive.

Type refers to “Type”.  As in data type. Friendly English words are acceptable here, like “string” instead of “reg_sz”.

Value refers to “Data”.  The value you want to set. You cannot say “enable” or “disable”, you have to use the actual value to be written into the registry. This cmdlet is writing to the registry. This is not a parser, you have to know what you want.

Why the disparity? There are lots of ways to refer to registry values  (registry keys or registry settings or settings or policy settings or…), so we created a nomenclature that would make the most sense.

But once you do it, that’s it: you just set a registry value in a GPO without having to create your own ADMX file.

So here goes, once more for good measure:

Set-GPRegistryValue -Name <name of gpo> –Key “HKEY_CURRENT_USERSoftwareAdobeAcrobat Reader8.0InstallPath” -ValueName "(Default)" -Value "C:ProgramFiles(x86)AdobeReader8.0Reader" -Type String

Note: For further experimentation, there are some intricacies here with “Remove” , which has a different result than the –Disable flag. This is all explained in the help.

Go! Experiment! Impress your friends and family with your new-found power. Be the PowerShell expert with your Group Policy friends (I dare you).

Lilia Gutnik, Group Policy PM