The Sysadmins

Tips and tricks from the Sysadmins

Category: Group Policy (page 2 of 2)

Group Policy Preferences – 1. Deploying Registry Settings

Group Policy Preferences allow you to deploy and modify registry settings quickly and easily. This post will run through a couple of examples to give you a starting point and some guidance for using this in your own environment. As with any Group Policy based changes, use a test Organizational Unit to confirm and test changes before making them live.

Example 1

You have made some changes to HKEY_LOCAL_MACHINE on a reference machine, and would like to deploy the same registry settings to an OU of computers.

1. Open the Group Policy Management Console

2. Right click Group Policy Objects and select New, give the GPO a meaningful name, this does not link it to an OU so will not affect any computers or users. This is a good practice to get into. If you create at a live OU level, any changes (and mistakes) will be deployed if you’re unlucky enough for the computers or users to perform a Group Policy refresh as you’re creating the GPO. Always link the GPO later, when you have tested it.

3. Right click the New GPO, and select edit

4. Expand Computer Configuration, Preferences, Windows Settings and head down to Registry. Right Click and select New, you will be present with 3 options.

  • Registry Item allows you to manually change single entries of the registry
  • A collection simply allows you to organize registry preference items into a folder, this can be useful if you need to set item level targeting over a bunch of registry changes
  • Registry Wizard allows you to use the local machine as a reference, or connect to a remote machine to add multiple entries, this is the method we will use this this example

Group Policy Preferences Registry

When using the Registry wizard, the remote computer must have the Remote Registry service enabled, otherwise you will be greeted with the error message “The network path was not found”.

Group Policy Preferences Registry

Group Policy Preferences Registry

To resolve this, enable the service on the remote machine with the following commands

sc config remoteregistry start =demand

(this sets the service to manual, it’s disabled by default)

net start remoteregistry

Group Policy Preferences Registry

It will then allow you to select items from the HKEY_LOCAL_MACHINE and HKEY_USERS on the remote machine, if you need other areas of the registry you will need to install the Remote Server Administration Tools onto the reference computer and add the Group Policy Preferences Console via Programs and Turn Windows Features on or off. Run through the same process on the remote machine’s console to import the relevant registry items.

RSAT for Windows 7
RSAT for Windows 8

In this example we’re okay, as we want to pull settings from the HKEY_LOCAL_MACHINE.

5. Browse to the required location and tick the required keys and values to import into the GPP. Click Finish.

Group Policy Preferences Registry

6. Now you can expand the entries we imported with the wizard to review. Common tasks are available, as usual with Group Policy Preferences, if you right click an entry and select properties, then choose the common tab. By default the entries are set to Update

GroupPolicy1Registry_9

If you ever notice that the hive column isn’t populated after the import, double click on the entry or right click and select properties. Without changing anything click OK, this will then populate the hive entry. I’ve only seen this a couple of times… but if it isn’t populated the settings won’t get deployed, so it’s worth mentioning!

Example 2

If you want to manually add, remove or change a registry key you can do so using the registry item. You can only add one entry at a time with this method.

Group Policy Preferences Registry

Example below, it will create new keys if needed so if you enter HKEY_LOCAL_MACHINE\Software\1\2\3\4\5 it’ll create the 1,2,3,4,5 keys if they are not already present.

GroupPolicy1Registry_10

The default behavior when using Group Policy Preferences to modify the registry is “update”. Let’s look at the 4 options and what they mean.

Create

  • Creates the item
  • Does nothing if the item already exists

Let me expand on the 2nd point. If there is already a DWORD with the value of 1, and you create a Group Policy Preference with the same DWORD set to 2 with the option of Create- nothing would happen to the DWORD. It would remain at 1.

Update (Default)

  • If the item already exists, it will update with the configuration specified in the Group Policy Preference
  • It the item does not exist, it will be created

It is important to understand that Group Policy Preferences doesn’t lock the registry item, it merely (as it’s name suggests) uses it as a preference. So if you set a DWORD to 1, depending on the area of the registry a user could go and set that to 0 which would stick until a Group Policy update occurred and the item was re-evaluated.

Replace

  • Delete existing item if it already exists and create a new object

There aren’t many situations where you would need to delete an item before populating it again, I can’t say I’ve used this to modify registry items before. But there may be a case for you to use it.

Delete

  • Deletes the item

I’d like to thank you for reading and I hope it’s been informative for you!

Group Policy – GPUpdate an OU of Computers

There are times when you need to remotely refresh the group policy on a group of computers, bypassing the 90 minute (+30 minute offset) default interval. Let’s look at 3 ways to achieve that, two of the methods require Server 2012 or Windows 8 with the remote administration tools to initiate the refresh, and the 3rd method can be initiated from Windows 7 or Server 2008 R2.

Method 1. Server 2012 introduced the functionality to remotely refresh Group Policy settings for all computers in an OU from the Group Policy Management Console (GPMC). When you use this method, there is a random delay of up to 10 minutes, with the view of decreasing load on network traffic- this random delay cannot be configured when using the GUI. This method supports a Group Policy refresh for Windows Server 2012 R2 Preview, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8.1 Preview, Windows 8, Windows 7 and Windows Vista clients.

Open the GPMC, right click the OU of Computers you’d like to refresh and select Group Policy Update.

GPUpdate1

This will return the number of computer objects in the OU, and ask if you’re sure.

GPUpdate2

This will run a GPUpdate /force on all computer objects in the OU selected and any child OUs and will refresh both the computer and user policies.

GPupdate3

Method 2. This method, requires Server 2012, or Windows 8 with the remote server administration tools. The following command will retrieve the computer objects from the Servers OU and run the Invoke-GPUpdate against them.

get-adcomputer -SearchBase "OU=Servers,DC=thesysadmins,DC=local" -Filter * | %{invoke-gpupdate -Computer $_.Name -RandomDelayInMinute 0; "Refreshing host $_."}

Be aware, this method will display the command prompt with “Updating Policy” on the computer objects you run it against. So bear this in mind if you’re running this against your desktops or laptops with users logged in.

GPupdate6

Method 3. Fear not! If you’re not using Server 2012, you can still achieve the above with fairly little effort using Powershell to generate a list of computers and PSEXEC to run the GPUpdate command. The following Powershell will get you a list of computers from the Servers OU and export them to a text file on the C drive. You can replace this with a UNC path if desired. I’ve added a dummy first entry to the text file, for some reason PSExec fails the first entry so this gets around that.

Add-Content -path C:\Servers.txt -Value Dummy ; Get-ADComputer -LDAPFilter "(name=*)" -SearchBase "OU=Servers,DC=thesysadmins,DC=local" | Select -expand Name | Out-File -Encoding utf8 "C:\Servers.txt" -append

PSEXEC will connect to each of the machines in the Desktops.text and run a gpupdate /force, this method isn’t particuarly quick but it gets the job done.

psexec @"C:\Servers.txt" gpupdate /force

GPupdate4

Searching Group Policy

Today we’re looking at 3 easy ways to search Group Policy settings, primarily focusing on the Administrative Templates. With over 3000 settings (~3500 with Server 2012/Windows 8) you’re going to want to be aware of these methods!

1. Search with Microsoft’s GPSearch Site

Microsoft put this site up a couple of years ago, initially at http://gps.cloudapp.net/, this has now changed to http://gpsearch.azurewebsites.net and will enable you to search any of the Computer or User Administrative Template settings within Group Policy. They’re also linking to a Windows Mobile Application for searching group policy, it’s nice to see they’re putting out apps like this: http://www.windowsphone.com/en-gb/store/app/group-policy-search/d1615909-62e2-df11-a844-00237de2db9e.

SearchingGroupPolicy-6

2. Search with the Group Policy Management Console

You can search from within the GPMC MMC console itself by right clicking the Administrative Templates for the Computer or User segment and selecting filter options. The initial criteria is “any”, so you can simply type a keyword and filter the results based on that keyword, make sure you right click Administrative Templates and set the filter to “on”. The configured and commented options are quite interesting, I rarely see people commenting group policy objects or settings but this would allow you to only return commented or configured settings within a GPO.

SearchingGroupPolicy-2

SearchingGroupPolicy-3

SearchingGroupPolicy-4

3. Search with the Group Policy Settings Reference XLS(x)

I really like the spreadsheets that Microsoft have provided for searching Group Policy: http://www.microsoft.com/en-au/download/details.aspx?id=25250; the filters in place make it very simple to filter out what you’re looking for. I particularly like the “Reboot required” and “Logoff required” columns, very helpful. These spreadsheets are well worth a look as they tend to give you a little more information than the methods above.

SearchingGroupPolicy-7

Disabling Windows and HP Print Notifications with Group Policy

I’m going to cover two types of notifications.

The standard Windows notification

Disabling the standard Windows printer balloon can be done via the registry. Create a .reg file with the following and save it as Disable_Balloon.reg:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Printers\Settings]
“EnableBalloonNotificationsRemote”=dword:00000000
“EnableBalloonNotificationsLocal”=dword:00000000

You can download a pre-made .reg file here.

Then create a .bat file with a link to the UNC path of the .reg file:

@echo off
REM Remove Printer Notification Balloon
regedit /s "\\fileserver\share\Printers\Disable_Balloon.reg"

You can download a pre-made batch file here.

The registry settings are applied to the current user, so you’ll want to add the batch file to the user configuration within the GPO.

HP Print Notifications

HP are kind enough to provide a HP Printer Administrator Resource Kit which includes .ADM and .ADMX administrative templates for disabling these notifications.

HP Printer Administrator Resource Kit

Once you’ve downloaded the .zip you will find the ADM(X) files in the hp-upd-park-1.4\active directory administrator template folder. Head over to the GPMC and add this administrative template under the user configuration.

Enable the Status Notification Pop-ups Properties item and set the Printer Alert Notification Settings to disabled.

Both of these methods have been tested with Windows XP and Windows 7.

Adobe Reader X – Disable Protected Mode ADM

Adobe Reader 10 includes a new feature called “Protected mode” which gives “There was an error opening this document. Access denied” when opening from a network share.

To disable this via Group Policy:

  • Download the ADM file here
  • Create a new GPO, right click administrative templates under User Configuration, select add/remove templates and browse to the adobex.adm
  • Open up the new Adobe Reader 10 policy -> Preferences -> General -> Application Startup
  • Disable ‘Enabled Protected Mode at startup’
  • Apply GPO to the required OU/Domain

If you are using Server 2003, you will need to tweak the filtering options by doing the following:

  • With Administrative Templates selected go to View -> Filtering -> Untick ‘Only Show policy settings that can be fully managed’.

GPO Filtering Adobe Reader ADM

Newer posts