The Sysadmins

Tips and tricks from the Sysadmins

Group Policy Preferences – 1. Deploying Registry Settings

Group Policy Preferences allow you to deploy and modify registry settings quickly and easily. This post will run through a couple of examples to give you a starting point and some guidance for using this in your own environment. As with any Group Policy based changes, use a test Organizational Unit to confirm and test changes before making them live.

Example 1

You have made some changes to HKEY_LOCAL_MACHINE on a reference machine, and would like to deploy the same registry settings to an OU of computers.

1. Open the Group Policy Management Console

2. Right click Group Policy Objects and select New, give the GPO a meaningful name, this does not link it to an OU so will not affect any computers or users. This is a good practice to get into. If you create at a live OU level, any changes (and mistakes) will be deployed if you’re unlucky enough for the computers or users to perform a Group Policy refresh as you’re creating the GPO. Always link the GPO later, when you have tested it.

3. Right click the New GPO, and select edit

4. Expand Computer Configuration, Preferences, Windows Settings and head down to Registry. Right Click and select New, you will be present with 3 options.

  • Registry Item allows you to manually change single entries of the registry
  • A collection simply allows you to organize registry preference items into a folder, this can be useful if you need to set item level targeting over a bunch of registry changes
  • Registry Wizard allows you to use the local machine as a reference, or connect to a remote machine to add multiple entries, this is the method we will use this this example

Group Policy Preferences Registry

When using the Registry wizard, the remote computer must have the Remote Registry service enabled, otherwise you will be greeted with the error message “The network path was not found”.

Group Policy Preferences Registry

Group Policy Preferences Registry

To resolve this, enable the service on the remote machine with the following commands

sc config remoteregistry start =demand

(this sets the service to manual, it’s disabled by default)

net start remoteregistry

Group Policy Preferences Registry

It will then allow you to select items from the HKEY_LOCAL_MACHINE and HKEY_USERS on the remote machine, if you need other areas of the registry you will need to install the Remote Server Administration Tools onto the reference computer and add the Group Policy Preferences Console via Programs and Turn Windows Features on or off. Run through the same process on the remote machine’s console to import the relevant registry items.

RSAT for Windows 7
RSAT for Windows 8

In this example we’re okay, as we want to pull settings from the HKEY_LOCAL_MACHINE.

5. Browse to the required location and tick the required keys and values to import into the GPP. Click Finish.

Group Policy Preferences Registry

6. Now you can expand the entries we imported with the wizard to review. Common tasks are available, as usual with Group Policy Preferences, if you right click an entry and select properties, then choose the common tab. By default the entries are set to Update

GroupPolicy1Registry_9

If you ever notice that the hive column isn’t populated after the import, double click on the entry or right click and select properties. Without changing anything click OK, this will then populate the hive entry. I’ve only seen this a couple of times… but if it isn’t populated the settings won’t get deployed, so it’s worth mentioning!

Example 2

If you want to manually add, remove or change a registry key you can do so using the registry item. You can only add one entry at a time with this method.

Group Policy Preferences Registry

Example below, it will create new keys if needed so if you enter HKEY_LOCAL_MACHINE\Software\1\2\3\4\5 it’ll create the 1,2,3,4,5 keys if they are not already present.

GroupPolicy1Registry_10

The default behavior when using Group Policy Preferences to modify the registry is “update”. Let’s look at the 4 options and what they mean.

Create

  • Creates the item
  • Does nothing if the item already exists

Let me expand on the 2nd point. If there is already a DWORD with the value of 1, and you create a Group Policy Preference with the same DWORD set to 2 with the option of Create- nothing would happen to the DWORD. It would remain at 1.

Update (Default)

  • If the item already exists, it will update with the configuration specified in the Group Policy Preference
  • It the item does not exist, it will be created

It is important to understand that Group Policy Preferences doesn’t lock the registry item, it merely (as it’s name suggests) uses it as a preference. So if you set a DWORD to 1, depending on the area of the registry a user could go and set that to 0 which would stick until a Group Policy update occurred and the item was re-evaluated.

Replace

  • Delete existing item if it already exists and create a new object

There aren’t many situations where you would need to delete an item before populating it again, I can’t say I’ve used this to modify registry items before. But there may be a case for you to use it.

Delete

  • Deletes the item

I’d like to thank you for reading and I hope it’s been informative for you!

8 Comments

  1. Nice work thank you

  2. Can we apply HKLM reg changes via user settings & apply it to user OU? Does this need user to be part of Administrators group ?

    • Tom@thesysadmins.co.uk

      August 6, 2015 at 9:19 pm

      Ranjith, yes you can. By default it will use the System account.

      If you tick ‘Run in logged-on user’s security context (user policy option)’ it will try to make the change as the logged-on user – this will fail unless the user is a member of the local administrators group.

  3. Steven Butterworth

    July 24, 2015 at 1:47 pm

    Excellent post, well done

  4. Hi,
    Great post! Keep it up

    I would add a warning regarding manipulating registry with GPO:
    “Do not delete GPO registry settings (yes from the group policy you are editing) before checking it carefully! There is no undo with such changes, no ‘not configured’ setting that will revert the registry change to ‘original state’. If you create a key and later want to discard/revert it – add a delete action to that registry path or use update and change to correct value. Use the remarks and document well your changes and all relevant values for the key :)”

    Had some experience with that 😉

    Cheers

    Sean

  5. “If you ever notice that the hive column isn’t populated after the import, double click on the entry or right click and select properties. Without changing anything click OK, this will then populate the hive entry. I’ve only seen this a couple of times… but if it isn’t populated the settings won’t get deployed, so it’s worth mentioning!”

    This saved me from pulling *more* hair out of my head. I could not figure out why my Registry Keys and Items were not applying. I did not notice the Hive Column for my keys and items was not populated, nor did I know that was even important. Thank you so much for including that note because now my settings are deploying!

  6. Delete isnt’ working for me. I’m trying to keep Skype from running after login … I want to do it via group policy so I don’t have to hit 20+ machines to disable it.

    The value is in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run … value is Skype with dword and a path to an executable.

    The domain controller doesn’t have Skype so I cannot select it from the list when creating a GPO … I type Skype in value section of group policy after selecting the key: “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”

Leave a Reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.