registry keys gpo

Add, modify and delete Registry keys using Group Policy


The settings of most applications and a lot of Windows features do not require centralized management by using Group Policy (GPO). But you have to know, that you can customize their settings through the registry. In this article we will show you how to use Group Policy to manage, add, modify and delete registry keys across a domain.

Normally Group Policy does not require the built-in possibility to manage arbitrary registry keys. So administrators had to use labor-intensive methods such as creation their own administrative GPO templates (.adm/.admx) or scenarios for the Logon scripts.

In Windows Server 2008 Microsoft introduced a Group Policy extension – Group Policy Preferences (GPP). GPP including registry settings, which allows you to add, remove or modify key values. Let’s review these possibilities in details.

Let’s say we need to disable automatic drivers updating on all PCs in a particular OU. We have to modify SearchOrderConfig key in the registry branch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching

There are two options for specifying the registry key on the target PCs: with the built-in console GPP registry browser on the remote PCs or manually, by specifying the branch and the key.

Consider the first method:

  1. Open Group Policy Management Console (gpmc.msc)
  2. Create a new (or edit an existing) GPO and assign it to the appropriate container (OU) in AD. After that switch it to edit mode
  3. Expand GPO Computer (or User) Configuration -> Preferences ->Windows Settings -> Registry in the context menu. Select New -> Registry Wizard
    registry wizard
  4. Registry Wizard allows you to connect to the registry on the remote machine and select the existing registry key
  5. Specify the remote computer to connect to it and select an existing key/registry branch
    registry browser
  6. Using the browser, select the remote registry key or registry keys that you want to set via GPO
  7. In our example, we want to import into the GPP the only one key – SearchOrderConfig
    searchorderconfig
  8. This key is imported into the GPP console. You can change its value and the desired action (look below)
    gpo management editor
  9. The creation of the GPP policy is completed. After a while, this key will be created on all domain computers
READ ALSO  Configure Legal Notices on Domain Computers using Group Policy

Let’s consider the second method:

  1. Select New -> Registry Item
    registry item
  2. In the following fields (Hive, Key path, Value type, Value data) you have to specify the registry section, registry branch, name, type and value of the key
    registry properties
  3. As default, set the key in the Update mode

There are 4 type of operation with the keys:

registry keys options

  • Create – creates a registry key. If the parameter already exists, the value does not change
  • Update (default) – If the parameter already exists, its value is updating in accordance with the specified in the GPP. If not – it is creating
  • Replace – if the registry element is already exists, it is deleting and re-creating (rarely used)
  • Delete – the key is removing

There are a number of useful options on the Common tab:

registry properties common

  • Run in logged-on user’s security context – the key is creating in the context of the current user. In that case, if the user does not have administrator rights – you will not be able to write it in the system branches.
  • Remove this item when it is no longer applied – if the policy ceases to act on the client, the key is automatically removing.
  • Apply once and do not reapply – the policy for each PC is using only once.
  • Item-level targeting – more precise targeting of policies to customers.
READ ALSO  Upgrade to Windows 10 Using MDT 2013 Update 1

The final report with policy settings in the GPMC console looks like this.

registry report

Note. In Windows XP and Windows Server 2003 the GPP section in absent. To add it in the OS, you have to install the KB943729 update (client-side extensions for Group Policy).


You may also like:

Deploy LGPO with MDT 2013 Local Group Policy (LGPO) of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That...
How to Allow Saved Credentials for RDP Connection When you are connecting to remote system using native Microsoft RDP client (mstsc.exe), you have the ability to save login credentials in order to not...
Configuring GPO Proxy Settings for Internet Explor... The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of I...
Restore Windows 10 Registry from Backup using Comm... When Windows 10 have some problems with registry files (in case of corruption, accidental deletion etc.), the system offers a simple way to restore th...
Event ID 7000 – Service Control Manager If you landed here you are probably receiving the following error: The Diagnostic Service Host service failed to start due to the following error:...