registry keys gpo

How to Add, Edit and Remove Registry Keys Using Group Policy?


It is not always possible to use Group Policy (GPO) to manage some of the Windows and applications settings in the domain environment. The fact is that some settings can be applied only through the system registry. In an Active Directory domain, you can centrally manage registry keys on domain computers through a GPO. In this article, we will show you how to use Group Policy to manage, add, modify, import, and delete registry keys across a domain.

Windows Server 2008 introduced a special Group Policy extension (Group Policy Preferences – GPP) which allows you to conveniently manage registry keys and parameters through the Group Policy. GPP allows you to add, remove or modify registry parameters, values and keys on domain-joined computers. Let’s review these possibilities in detail.

Note. Previously, domain administrators had to create their own administrative GPO templates (.adm/.admx) or .bat Logon scripts to manage registry settings on domain computers. Also, saved *.reg files were often used, which had to be imported to the users’ computers using the reg import or Regedit.exe /s import.reg commands).

How to Add/Set Registry Key via GPO?

Let’s say we need to disable automatic drivers updating on domain computers in a particular OU. We have to modify SearchOrderConfig key in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching

There are three options for selecting the registry key on the target PCs:

  • With the built-in GPP registry browser (wizard);
  • Collection Item – creates and organizes registry items in a folder. Useful if you need to add a group of registry keys;
  • Manually, by specifying the registry key and the parameter.

Lets’ try to use GPO Registry Wizard to set the registry parameter value:

  1. Open the Group Policy Management Console (gpmc.msc)
  2. Create a new (or edit an existing) GPO and link it to the appropriate Active Directory Organizational Unit. After that switch it to the GPO Edit mode;
  3. Expand the following GPO section: Computer (or User) Configuration > Preferences > Windows Settings > Registry. Select in the context menu: New > Registry Wizard;
    add registry key gpo
  4. Registry Wizard allows you to browse the registry on a local computer or connect to the registry on the remote computer and select the existing registry key and parameter;
  5. Specify the remote computer name (or an IP address) to connect and use the Registry Browser tree to locate and select an existing registry key/parameter;
    gpo registry
  6. In this example, we want to add to our GPP only one registry item – REG_DWORD parameter named SearchOrderConfig;
    gpo add registry key
  7. This parameter with the full reg path and value will be imported into the GPO editor console. You can change its value and the desired action. To set a reg key, use the Update option (look below);
    group policy registry
  8. This completes the registry policy setting. The next time Group Policy is updated on computers (or after running the gpupdate command), the specified registry settings will be applied on all computers in the OU.

You can also type the full registry key path and a parameter name manually:

  1. Select New > Registry Item;
    gpo registry key
  2. In the following fields (Hive, Key path, Value type, Value data) you have to specify the registry hive (HKLM,HKCU, etc.); registry key; parameter name, type and value; Note. You can use the following Hive names: HKEY_CLASSES_ROOT (HKEY_LOCAL_MACHINE\Software\Classes), HKEY_CURRENT_CONFIG (HEKY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current), HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER (HKEY_USERS\.Default will be used if set HKCU registry key using Computer Configuration Policy).
    gpo regedit
  3. As a default, set the policy option to the Update mode.

There are 4 types of operation with the registry items:

gpo delete registry key

  • Create – creates a registry parameter. If the parameter already exists, the value does not change;
  • Update (default) – If the parameter already exists, its value will update in accordance with the specified in the GPP. If not, a parameter with the specified value will be created;
  • Replace – if the registry item already exists, delete and recreate registry item (rarely used);
  • Delete – remove a registry key and all of its values and subkeys.

There are a number of useful options on the Common tab:

gpo registry settings

  • Run in logged-on user’s security context – the registry parameter is creating in the context of the current user. If you check this option, the parameter will be created with the current user permissions. If the user doesn’t have local admin permissions, the policy will be applied only to the HKEY_CURRENT_USER hive, but no to the HKEY_LOCAL_MACHINE.
  • Remove this item when it is no longer applied –if you unlink GPO from the AD container, the changed registry settings return to their initial state;
  • Apply once and do not reapply – apply the policy for each computer only once;
  • Item-level targeting – can be used to target registry settings via GPP based on computer settings and/or user properties in granular level.

The final report with policy settings in the GPMC console looks like this.

regedit gpo

Note. In Windows XP and Windows Server 2003 the GPP section is absent. To add it to the OS, you have to install the KB943729 update (client-side extensions for Group Policy).

How to Delete Registry Key via GP Preferences?

You can also use GP Preferences to remove a specific key or registry entry on computers in a domain.
For example, you want to delete a certain parameter in the registry key HKEY_CURRENT_USER.

  1. Create a new registry GPP entry in the section User Configuration > Preferences > Windows Settings > Registry;
  2. Use the Registry Browser to select a parameter or key;
  3. In the GPO console, expand the key branch, open the parameter properties and change the Action to Delete;
    registry gpo
  4. Save the changes;
  5. Now, after updating the group policy settings on clients, the specified parameter will be deleted from user’s hive.

Tip. If you receive an error “Network Path not found” when using Registry Browser to view the registry of a remote computer, check that the specified computer is accessible over the network, and that the Remote Registry service is Running. If not, use the Services console (services.msc) to start the service.

gpo registry update

You may also like:

How to Allow Saved Credentials for RDP Connection When you are connecting to remote system using native Microsoft RDP client (mstsc.exe), you have the ability to save login credentials in order to not...
Deploy LGPO with MDT 2013 Local Group Policy (LGPO) of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That...
Restore Windows 10 Registry from Backup using Comm... When Windows 10 have some problems with registry files/settings (in case of corruption, accidental deletion etc.), the system offers a simple way to r...
Configure NTP Time Sync Using Group Policy The Windows Time service (despite its apparent simplicity) is the basis for the normal functioning of Active Directory domain. In properly configured ...
Configuring GPO Proxy Settings for Internet Explor... The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of I...
Comments
  1. Posted by DThomas
  2. Posted by Ali
    • Posted by PJ
  3. Posted by Keith

Add Your Comment