The settings of most applications and a lot of Windows features do not require centralized management by using Group Policy (GPO). But you have to know, that you can customize their settings through the registry. In this article we will show you how to use Group Policy to manage, add, modify and delete registry keys across a domain.
Normally Group Policy does not require the built-in possibility to manage arbitrary registry keys. So administrators had to use labor-intensive methods such as creation their own administrative GPO templates (.adm/.admx) or scenarios for the Logon scripts.
In Windows Server 2008 Microsoft introduced a Group Policy extension – Group Policy Preferences (GPP). GPP including registry settings, which allows you to add, remove or modify key values. Let’s review these possibilities in details.
Let’s say we need to disable automatic drivers updating on all PCs in a particular OU. We have to modify SearchOrderConfig key in the registry branch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching
There are two options for specifying the registry key on the target PCs: with the built-in console GPP registry browser on the remote PCs or manually, by specifying the branch and the key.
Consider the first method:
- Open Group Policy Management Console (gpmc.msc)
- Create a new (or edit an existing) GPO and assign it to the appropriate container (OU) in AD. After that switch it to edit mode
- Expand GPO Computer (or User) Configuration -> Preferences ->Windows Settings -> Registry in the context menu. Select New -> Registry Wizard
- Registry Wizard allows you to connect to the registry on the remote machine and select the existing registry key
- Specify the remote computer to connect to it and select an existing key/registry branch
- Using the browser, select the remote registry key or registry keys that you want to set via GPO
- In our example, we want to import into the GPP the only one key – SearchOrderConfig
- This key is imported into the GPP console. You can change its value and the desired action (look below)
- The creation of the GPP policy is completed. After a while, this key will be created on all domain computers
Let’s consider the second method:
- Select New -> Registry Item
- In the following fields (Hive, Key path, Value type, Value data) you have to specify the registry section, registry branch, name, type and value of the key
- As default, set the key in the Update mode
There are 4 type of operation with the keys:
- Create – creates a registry key. If the parameter already exists, the value does not change
- Update (default) – If the parameter already exists, its value is updating in accordance with the specified in the GPP. If not – it is creating
- Replace – if the registry element is already exists, it is deleting and re-creating (rarely used)
- Delete – the key is removing
There are a number of useful options on the Common tab:
- Run in logged-on user’s security context – the key is creating in the context of the current user. In that case, if the user does not have administrator rights – you will not be able to write it in the system branches.
- Remove this item when it is no longer applied – if the policy ceases to act on the client, the key is automatically removing.
- Apply once and do not reapply – the policy for each PC is using only once.
- Item-level targeting – more precise targeting of policies to customers.
The final report with policy settings in the GPMC console looks like this.
Note. In Windows XP and Windows Server 2003 the GPP section in absent. To add it in the OS, you have to install the KB943729 update (client-side extensions for Group Policy).
