Tweak

If IT doesn’t challenge you, IT doesn’t change you.

Scripting & Automation

Resetting Group Policy with PowerShell

#GPO, #Group Policy, #Powershell
A modern, professional illustration of a Windows computer screen running a PowerShell console, designed for a tech blog about resetting Group Policy using PowerShell.

Managing Group Policy is essential for system administrators who aim to maintain configuration and security across Windows environments. However, there are times when resetting the local Group Policy Objects (GPOs) to their default settings becomes necessary. In this blog post, I’ll share a PowerShell script I developed to automate and simplify this process.

Group Policy allows administrators to centrally manage settings and configurations for users and computers within a Windows domain. While Group Policy offers powerful capabilities, there are instances where resetting the local GPOs to their original state is necessary. This can be particularly useful for troubleshooting configuration issues or reverting extensive changes.

In this post, I’ll discuss a PowerShell script named Reset-GroupPolicy.ps1 that automates this task. The script deletes the local GPOs, forces a Group Policy update, and logs the action in the Event Viewer.

Why Reset Group Policy?

There are several reasons why you might want to reset local Group Policy Objects:

  • Troubleshooting: Corrupt or incorrect Group Policy settings can cause issues. Resetting can help resolve these problems.
  • Restoring Default Configuration: If you’ve made changes that are no longer needed, resetting GPOs can restore default settings.
  • Security: Removing outdated or insecure policy settings helps ensure the system remains secure.

Here is the script we’ll be discussing:

<#
.SYNOPSIS
This script resets the local group policy objects to their default state.

.DESCRIPTION
Reset-GroupPolicy.ps1 will delete the local group policy objects and force a group policy update. It will also log an event to the Event Viewer indicating the reset has been completed.

.PARAMETER Help
Show the help message.

.EXAMPLE
.\Reset-GroupPolicy.ps1 -Verbose

This example will run the script with verbose logging enabled.

.EXAMPLE
.\Reset-GroupPolicy.ps1 -Help

This example will display the help message.
#>

[CmdletBinding()]
param (
    [switch]$Help
)

function Write-VerboseLog {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory=$true)]
        [string]$Message
    )
    
    Write-Verbose $Message
}

function Show-Help {
    $helpText = @"
Reset-GroupPolicy.ps1 [-Verbose] [-Help]

-Verbose : Enable verbose logging
-Help    : Show this help message
"@
    Write-Host $helpText
}

if ($Help) {
    Show-Help
    exit
}

try {
    if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
        throw "This script must be run as Administrator."
    }

    Write-VerboseLog "Resetting group policy for users..."
    Remove-Item -Path "${env:windir}\System32\GroupPolicyUsers" -Recurse -Force -ErrorAction SilentlyContinue

    Write-VerboseLog "Resetting group policy..."
    Remove-Item -Path "${env:windir}\System32\GroupPolicy" -Recurse -Force -ErrorAction SilentlyContinue

    Write-VerboseLog "Updating group policy..."
    Invoke-Expression -Command 'gpupdate /force'

    Write-VerboseLog "Writing event to Event Viewer..."
    $EventLog = New-Object -TypeName System.Diagnostics.EventLog -ArgumentList "Application"
    $EventLog.Source = "ResetGroupPolicy"
    $EventLog.WriteEntry("Group policy reset successfully.", [System.Diagnostics.EventLogEntryType]::Information)

    Write-VerboseLog "Group policy reset complete."
} catch {
    Write-Host "Error: $($_.Exception.Message)"
    exit 1
}

Script Explanation

Let’s walk through the script step-by-step to understand how it works and what each part does.

Parameters

The script accepts the following parameters:

  • -Verbose: Enables detailed logging, providing more insight into what the script is doing during execution.
  • -Help: Displays the help text with information on how to use the script.

Functions

The script contains two main functions:

1. Write-VerboseLog: This function uses Write-Verbose to display detailed messages when the -Verbose parameter is enabled. This is useful for debugging and tracking the script’s execution.

function Write-VerboseLog {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory=$true)]
        [string]$Message
    )
    
    Write-Verbose $Message
}

2. Show-Help: This function displays the help text when the user invokes the -Help parameter.

function Show-Help {
    $helpText = @"

Reset-GroupPolicy.ps1 [-Verbose] [-Help]

-Verbose : Enable verbose logging -Help : Show this help message “@ Write-Host $helpText } “`

Main Logic

The main logic of the script performs the following steps:

1. Administrator Check: The script verifies that it is being run with administrator privileges. Without these rights, the script cannot make the necessary changes.

if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    throw "This script must be run as Administrator."
}

2. Resetting Group Policy:

  • Forcing Group Policy Update: Executes gpupdate /force to immediately update Group Policy settings.
  • Removing GroupPolicyUsers: Deletes the local GPOs for users.
  • Removing GroupPolicy: Deletes the general local GPOs.
Write-VerboseLog "Resetting group policy for users..."
Remove-Item -Path "${env:windir}\System32\GroupPolicyUsers" -Recurse -Force -ErrorAction SilentlyContinue

Write-VerboseLog "Resetting group policy..."
Remove-Item -Path "${env:windir}\System32\GroupPolicy" -Recurse -Force -ErrorAction SilentlyContinue

Write-VerboseLog "Updating group policy..."
Invoke-Expression -Command 'gpupdate /force'

3. Logging the Action: The script writes an informational event to the Event Viewer to indicate that the Group Policy reset was successful.

Write-VerboseLog "Writing event to Event Viewer..."
$EventLog = New-Object -TypeName System.Diagnostics.EventLog -ArgumentList "Application"
$EventLog.Source = "ResetGroupPolicy"
$EventLog.WriteEntry("Group policy reset successfully.", [System.Diagnostics.EventLogEntryType]::Information)

4. Error Handling: If an error occurs during script execution, it is caught and displayed to the user.

catch {
    Write-Host "Error: $($_.Exception.Message)"
    exit 1
}

Usage Examples

Here are some examples of how you can use the script:

1. Run Script with Verbose Logging

This command executes the script and displays detailed log messages, which is helpful for tracking the execution process.

.\Reset-GroupPolicy.ps1 -Verbose

2. Display Help Text

If you want more information about the available parameters and how to use the script, you can use the help option.

.\Reset-GroupPolicy.ps1 -Help

The Reset-GroupPolicy.ps1 PowerShell script provides an efficient and reliable way to reset local Group Policy Objects to their default settings. By using this script, system administrators can quickly resolve issues and ensure that Group Policy configurations remain clean and up-to-date.

The script is easy to use, supports verbose logging for detailed output, and logs the performed actions in the Event Viewer for future reference. If you regularly manage Group Policy on Windows systems, this script can be a valuable addition to your toolkit.

Leave a Reply

Your email address will not be published. Required fields are marked *


Also Interesting

Scripting & Automation

Automating Outlook PST Path Exportation with ExportOutlookPSTs

Scripting & Automation

Resetting Group Policy with PowerShell

Exchange

Simplify Your Exchange Mailbox Permissions Management with Powershell

Scripting & Automation

Keep Your PC Awake with a Simple PowerShell Script