Re: Apply registry setting.

From: Kevin Sullivan (ksullivan_at_NOSPAM.autoprof.com)
Date: 07/06/04

  • Next message: adfreak: "Security .inf question" 
    Date: Tue, 6 Jul 2004 19:21:13 -0400

    A couple of things here "name"... First off there are a couple of different
    ways to manage registry setting via Group Policy and they will almost always
    come down to custom .adm templates, scripts or a Client Side Extension. .ADM
    templates are pretty easy but a bit convoluted and they simply add the
    registry setting to the editor in Group Policy and allow you to manage it.
    The setting needs to be conversted to a .adm file and then loaded into the
    GPOE and then managed on the GPO itself.

    Second, you can write a script. There is a lot of registry functionality
    that can be accessed through WSH the written into a VBScript or JScript and
    deployed through a logon,logoff or startup,shutdown script (depending on
    what you are tyring to do).

    The Client Side Extension is the way to go and is truly Group Policy. We
    offer our registry Client Side Extension free of charge. Fully free. What it
    does is put into the GPOE (object editor) an extension to expose the
    management capabilities of the registry (in very simple terms). You can
    Create, Replace, Update or Delete registry keys, values etc. and you simply
    have to drill down to the key in question and put in the value and it will
    be deployed to everyone who falls into the scope of the GPO. Very easy UI to
    find registry keys etc. Additionally all AutoProf CSEs have a filter control
    that has about 25+ settings that can be applied to each policy.

    For example, imagine you have some issues with AD replication. There is a
    diagnostic value called 'Replication Events' that can be turned on the
    capture replication issues. These NTDS diagnostics are stored in
    HKLM\CCS\System\NTDS\Diagnostics and the value is "5 Replication Events'. If
    the data is a 0 there is no logging and a 5 is a ton of logging. I believe
    only odd numbers are valid but can't remember. Anyway, I want to turn
    diagnostics up to a level 3 for the domain controllers which are having
    issues. I can go to the Domain Controllers OU and create a new GPO or simply
    create an unlinked GPO with GPMC and drill down to 'User Settings' (we add
    this node) Registry and with the UI drill to the key
    HKLM\CCS\System\NTDS\Diagnostics choose Create, Replace, Update, or Delete
    and the value. Then I can add the filter to this reg key which can specify,
    for example "apply this registry value data to every system this GPO is
    applicable to that are within one of these three IP subnets". Then link the
    GPO to the target container, in this case the Domain Controllers OU. Collect
    data for a couple of house and then in the same setting change to Update and
    set the data back to 0. The next Group Policy refresh cycle the logging
    setting will reset.

    The last thing to mention related to your original note is that Group
    Policies are not applied to groups. They are applied to users and computers
    that fall within the scope of the GPO (AD hierarchy). AutoProf solutions do
    have a 'security group' filter item but the actual target objects need to be
    in the path of the GPO.

    If interested email me offline and I can walk you through this. I am working
    on an evaluator's guide/quick start guide that will be available on our site
    shortly.

    Kevin Sullivan
    kevin@autoprof.com
    AutoProf...

    "name" <anonymous@discussions.microsoft.com> wrote in message
    news:275a901c4637c$ff853130$a501280a@phx.gbl...
    > I notice that more settings can be denied through the
    > registry than when using group policy. Is there a way to
    > apply a registry setting to a group policy.
    >
    > For example I can remove the search feautre in IE through
    > regedit but I can't remove it through the GPO. Once I
    > have it removed through Regedit how do I then apply that
    > to all users in one group?

  • Next message: adfreak: "Security .inf question"

    Relevant Pages

    • Re: User Policies
      ... Specifically, I am looking for a very aggressive group policy which a) doesn't alllow software installation or removal b) doesn't allow user to view registries c) doesn't allow user to view network configuration, etc... ... There are sample configuration out there but I doubt there's a sample GPO that does exactly what you're trying to do. ... For b) You can use Sofware Restriction Policies to prevent regedit and regedt32 from running, but I doubt you'll catch all kinds of registry browsers. ...
      (microsoft.public.windows.group_policy)
    • Re: Apply registry setting.
      ... Where exactly can I get the registry Client Side Extension. ... What I want to do is create a GPO to remove ... > ways to manage registry setting via Group Policy and they will almost ...
      (microsoft.public.win2000.group_policy)
    • Re: Deleted GPO Applying to Workstations
      ... Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at ... with a deleted GPO still applying, and we would be interested to know if / ... (registry tatooing), not only temporarly by setting new values or new ... It was created and deleted from the child domain only. ...
      (microsoft.public.windows.group_policy)
    • Re: GPO - Unable to Edit/view properties
      ... Make sure the registry value has the correct type also. ... 842804 Group Policy processing does not work and events 1030 and 1058 are ... I am unable to open the GPO ...
      (microsoft.public.windows.server.active_directory)
    • Re: Admin / Domain Admin rights problem
      ... As far as Group Policy - registry you will not see that in Local ... >> Key and SubKey - Type of Access: ... >> Detailed Access Flags: ...
      (microsoft.public.win2000.security)