Recipe 9.10 Disabling the User or Computer Settings in a GPO

9.10.1 Problem

You want to disable either the user or computer settings of a GPO.

9.10.2 Solution Using a graphical user interface
  1. Open the GPMC snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container.

  3. Right-click on the target GPO and select GPO Status

  4. You can either select User Configuration Settings Disabled to disable the user settings or Computer Configuration Settings Disabled to disable the computer settings. Using VBScript
' This code can enable or disable the user or computer settings of a GPO.
strGPO      = "<GPOName>"        ' e.g. Sales GPO
strDomain   = "<DomainDNSName>"  ' e.g.
boolUserEnable = False
boolCompEnable = True
' ------ END CONFIGURATION ---------

set objGPM = CreateObject("GPMgmt.GPM")
set objGPMConstants = objGPM.GetConstants( )
' Initialize the Domain object
set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)

' Find the specified GPO
set objGPMSearchCriteria = objGPM.CreateSearchCriteria
objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _
                         objGPMConstants.SearchOpEquals, cstr(strGPO)
set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria)
if objGPOList.Count = 0 then
   WScript.Echo "Did not find GPO: " & strGPO
   WScript.Echo "Exiting."
elseif objGPOList.Count > 1 then
   WScript.Echo "Found more than one matching GPO. Count: " & _
   WScript.Echo "Exiting."
   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName
end if

' You can comment out either of these if you don't want to set one:

objGPOList.Item(1).SetUserEnabled boolUserEnable
WScript.Echo "User settings: " & boolUserEnable

objGPOList.Item(1).SetComputerEnabled boolCompEnable
WScript.Echo "Computer settings: " & boolCompEnable

9.10.3 Discussion

GPOs consist of two parts, a user and a computer section. The user section contains settings that are specific to a user that logs into a computer, while the computer section defines settings that apply to the computer regardless of which user logs in. You can enable or disable either the user configuration or computer configuration sections of a GPO, or both. By disabling both, you effectively disable the GPO. This can be useful if you want to stop a GPO from applying settings to clients, but you do not want to delete it, remove the links, or clear the settings.

Disabling the user configuration or the computer configuration is useful in environments that have separate OUs for computers and users. Typically, you would disable the computer configuration for GPOs linked to the users' OU and vice versa. Disabling half the GPO in the way makes GPO processing more efficient and can reduce logon times. Using VBScript

First, I have to find the target GPO. To do this, I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If zero or more than one are returned, I abort the script. If only one is returned, I call the SetUserEnabled and SetComputerEnable methods to either enable or disable the settings per the configuration.

9.10.4 See Also

MSDN: GPMGPO.SetUserEnabled and MSDN: GPMGPO.SetComputerEnabled

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List