In this text, we are going to take a look at how to use Group Policy (GPO) to centrally create, modify, import and delete any registry keys on a domain-joined computer systems.
There was no built-in characteristic to handle registry parameters in basic GPOs. Therefore, directors had to create their very own administrative .adm/.admx templates () or bat information for Logon scripts (.reg file is imported utilizing the
reg import command) for centralized administration of registry keys and parameters by way of GPO.
In Windows Server 2008, Microsoft launched a gaggle coverage extension known as Group Policy Preferences (GPP). A particular part has appeared in Grpup Policy console, which permit the directors to configure (create / edit / delete) any registry parameter or key and deploy this setting to all area computer systems. Let’s take care of these options intimately.
Suppose you need to on a computer systems in a selected AD area organizational unit (OU) by altering the worth of the SearchOrderConfig parameter within the reg key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionDriverSearching. There are two methods to set a register parameter on a goal computer systems: utilizing a distant registry browser built-in into the GPP console or manually by specifying the trail to the registry key, parameter identify and worth.
Remote Registry Browser in GPO
Let’s dwell on the primary approach to start with:
- Open the Group Policy Management console (gpmc.msc);
- Create a brand new (or edit the present) GPO, hyperlink it to the required container (OU) in AD with the computer systems (or customers) on which you need to deploy the registry key and go to the coverage edit mode;
- Expand the GPO part Computer (or User) Configuration -> Preferences -> Windows Settings -> Registry and choose New -> Registry Wizard within the context menu;
- The Registry Wizard permits you to join to the registry on a distant pc and choose the present registry key;
- Specify the distant pc identify you need to join to;
Note. If the error The community path was not discovered seems seems if you attempt to join to a pc through the Registry Browser, probably this distant pc is turned off, entry to it’s blocked by a firewall or Remote Registry service just isn’t began on it. To begin the service manually, run these instructions on the distant pc:
sc config remoteregistry begin= demand
web begin remoteregistry
- Using the Remote Registry browser, choose all of the registry parameters that you really want to deploy through the GPO;
Note.This browser permits you to choose on a distant pc solely reg keys from the hives HKEY_LOCAL_MACHINE and HKEY_USERS. If you want to set the keys contained in different registry hives, you want to set up RSAT on the distant pc (). Then run the gpmc.msc console on this pc and use the identical process to choose the required registry keys.
- In our instance i need to import to the GPP just one registry parameter— SearchOrderConfig;
- The specified registry entry is imported into the GPP console together with the reg path (a registry tree has appeared within the group coverage console) and present worth (zero). In the longer term, you’ll be able to change its worth and the specified motion (this can be thought-about additional);
- Thus, you have got created a gaggle coverage to deploy your registry key. The subsequent time Group Policy settings are up to date on a goal computer systems , the worth of the SearchOrderConfig registry key on them will change to zero (if the coverage doesn’t apply on the shopper, you should use device for diagnostics).
If this GPO is eliminated, unlinked from the AD container, the goal pc is moved to one other OU, the worth of the registry parameter gained`t return to its unique (default) worth (as is the case with the same old GPO coverage settings).
How to Manually Create/Edit a Registry Key utilizing Group Policy?
You can create, edit or take away the worth of the precise registry parameter utilizing GPP by specifying the registry key path and worth manually.
- To do it, choose Registry -> New-> Registry Item;
- Fill the next fields in accordance with the info of the registry parameter that you really want to change: Hive, Key Path, Value Name, Value sort, Value information;
- By default, the registry setting that’s configured through the GPO is ready to the Update mode.
four forms of actions can be found in GPO for registry keys:
- Create – creates a registry key. If the parameter already exists, its worth just isn’t modified;
- Update (by default) – updates the worth of an current parameter in accordance to the GPP. If the registry parameter doesn’t exist, it will likely be created mechanically (in addition to the registry key through which it must be situated);
- Replace – deletes and recreates the registry merchandise anew (not often used);
- Delete – deletes a reg key.
There is quite a few different helpful options within the Common tab:
- Run in logged-on consumer’s safety context (consumer coverage choice) — a registry key’s created solely within the present consumer context (it’s doable just for GPP within the consumer part of the GPO). If a consumer doesn’t have the administrator privileges, he gained’t have the ability to write something to the protected system registry keys;
- Remove this merchandise when it’s now not utilized – if the coverage is now not relevant to a shopper, the bottom line is mechanically deleted;
- Apply as soon as and don’t reapply – a coverage is utilized to a shopper (consumer or pc) solely as soon as. Later it gained’t be reapplied. If after making use of the GPO, the consumer manually adjustments the worth of the registry parameter, the coverage gained’t override its worth on the subsequent coverage replace cycle;
- Item-level concentrating on – the chance of extra precisely coverage concentrating on on the shoppers (you’ll be able to goal the coverage to a selected IP, subnet, pc identify, computer systems with sure traits, i.e. you’ll be able to configure coverage enforcement related to the ). For instance, you’ll be able to specify that the registry parameter must be utilized to computer systems working Windows Server 2012 R2 within the AD OU named Servers.
Here is the ensuing report containing coverage to change one registry worth appears to be like like within the GPMC (Settings tab).
Import .reg file into GPO
The GPP permits the administrator to simply import a .reg file with a number of registry settings into Group Policy. But to do that, the reg file should be transformed to the XML format (Group Policy Editor permits you to import solely information in XML format).
For instance, you have got a reference pc on which some settings are configured thorough the registry. You can export these settings to a REG file by right-clicking on the reg key identify within the regedit.exe and deciding on Export.
Save the registry key settings to the reg file.
If your reg file comprises information from totally different registry hives (HKLM, HKCU, HK_CLASSES), you want to divide them into separate reg information.
Next, you want to convert this REG file to the XML format. You can convert reg-> xml utilizing the net service https://www.runecasters.com.au/reg2gpp or with the PowerShell script RegToXML.ps1 — https://gallery.technet.microsoft.com/scriptcenter/Registry-To-GroupPolicyPref-9feae9a3.
The ensuing XML file should be copied within the File Explorer and pasted to the Registry part within the Group Policy editor.
As a consequence, all registry settings that you just imported will seem within the group coverage console and can be utilized to the goal computer systems within the area.