Managing WindowsHosts with Group Policies and scripts without paid apps and domain
Hi,
Hi,
I’m Piere, I manage some standalone windows systems for friends and family members as VMs for Office use and some other stuff.
I don’t want to manage them through a Domain because using a DC and VPNs and remote systems is so much work.
Therefore I seeked some simpler solution for this.
I noticed that the Windows gpclient (Group Policy Agent) stores it’s local group policy at the following location: C:\Windows\system32\GroupPolicy. And I know a software to synchronize those settings around to other systems regardless of their network connectivity: syncthing.
To access those folders the process needs to be system.
So I did the following:
- Download syncthing for Windows (https://syncthing.net/downloads/).
- Extract to to C:\Windows\System32\config\systemprofile\syncthing
- Now add this executable as a Task to the Task Scheduler
Establish Group Policy synchronization
I created for this a folder in the Task Scheduler library named IT Management
I changed the User account the task is running at to system and set it to ignore power settings (conditions) and to do not stop.
And I started the Task, here you can get the task config file you could import:
After this the SyncThing WebUI is accessible at http://localhost:8384 After logging in I declined the dialog to send usage data and deleted the default Sync folder. You get asked to not start syncthing as a system, for our use-case this is OK because this is actually intentional. To protect the settings I setup to protect the Web UI with a Admin Account.
This is for the Main system where the settings are configured and pushed out from. On the Client systems this is not necessary but for management purposes you could set the GUI Listen Address to some ZeroTier Admin Network and restrict in ZeroTier the Admin PC to connect to the IPs. So you could setup other folder syncs if you wish to remotely.
Now after I configured all the systems with SyncThing and ZeroTier (only if you wish too) I add the to the main system as trusted hosts.
Now I add the new folder to sync to all the clients and use the folder path for the GPOs I mentioned earlier and a proper Folder ID like (Group Policies). and a Folder Type of Send Only and Ignore Permissions.
Now all Client’s get a push notification to Add the System to their trust list and to add the shared folder, which you accept and use the same folder and set this to Receive Only and Ignore Permissions.
I also have some Registry Configurations I set with this method, the Local Group Policy editor does not allow to set these. therefore I set a PowerShell Script to set these instead. Is just as easy as with the GUI version, potentially easier.
Please be aware to set HKCU Settings as a User Logon Script rather than a Computer Startup Script.
If you click on Show Files you can see the folder where those scripts are used from, there you place yours.
Side-Note: to deploy applications I use winget and choco (chocolatey) as powershell startup scripts.
To get reports and inventories from the client I sync back a folder at the system account which contains reports generated from powershell scripts running periodically setup as a Task through a PowerShell Script.