In the domain environment, it’s not always possible to use Group Policy (GPO) to manage some of the Windows or applications’ settings. It’s a fact that you can apply some settings only through the system registry. In an Active Directory domain, you can centrally manage registry keys on domain computers through a GPO. In this article, we will show you how to use Group Policy to manage, add, modify, import, and delete registry keys across a domain.
Windows Server 2008 introduced a special Group Policy extension (Group Policy Preferences — GPP). It allows you to manage registry keys and parameters through the Group Policy. GPP allows you to add, remove, or modify registry parameters, values, and keys on domain-joined computers. Let’s review these possibilities.
Note. Previously, to manage registry settings on domain computers, domain administrators had to create their own administrative GPO templates (.adm/.admx) or .bat logon scripts. Also, saved *.reg files were often used, which had to be imported to the users’ computers using the reg import or Regedit.exe /s import.reg commands).
How to Add/Set Registry Key via GPO?
Let’s say we need to disable automatic drivers updating on domain computers in a particular OU. We have to modify the SearchOrderConfig parameter in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching.
The registry settings are available in the Computer and User configurations GPO section. Note that depending on the registry hive (HKEY_LOCAL_MACHINE / HKEY_CURRENT_USER), you must apply the settings through the Computer or User configuration GPP, respectively.
There are three options for selecting the registry key on the target PCs:
- Registry Wizard — allows you to use a local remote computer as a reference with the built-in GPP registry browser;
- Collection Item — creates and organizes registry items in a folder. Useful if you need to add a group of registry keys;
- Registry Item — allows you to manually change a single registry key, parameter name, or value.
Lets’ try to use the GPO Registry Wizard to set the registry parameter value:
- Open the Group Policy Management Console (gpmc.msc);
- Create a new (or edit an existing) GPO, and link it to the appropriate Active Directory OU. After that, switch it to the GPO Edit mode;
- Expand the following GPO section: Computer (or User) Configuration > Preferences > Windows Settings > Registry. Select in the context menu: New > Registry Wizard;
- Registry Wizard allows you to browse the registry on a local computer. You can connect to the registry on the remote computer, and select the existing registry key and parameter;
- Specify the remote computer name (or an IP address) to connect. Use the Registry Browser tree to locate and select an existing registry key/parameter;
- In this example, we want to add only one registry item to our GPP — REG_DWORD parameter named SearchOrderConfig;
- This parameter with the full reg path and value will be imported into the GPO editor console. You can change its value and the desired action. To set a specific registry parameter value, use the Update option (look below);
- This completes the registry policy setting. The next time Group Policy is updated on computers (or after running the gpupdate command), the specified registry settings will be applied on all computers in the OU.
You can also type the full registry key path and a parameter name manually:
- Select New > Registry Item;
- In the following fields (Hive, Key path, Value type, Value data) you have to specify the registry hive (HKLM, HKCU, etc.); registry key; parameter name, type, and value;
Note. You can use the following Hive names: HKEY_CLASSES_ROOT (HKEY_LOCAL_MACHINE\Software\Classes), HKEY_CURRENT_CONFIG (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current), HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER (HKEY_USERS\.Default will be used if you’ll set HKCU registry key using Computer Configuration Policy); HKEY_USERS — affects individual user profiles.
- As a default, set the policy option to the Update mode.
There are 4 types of operation with the registry items:
- Create — creates a registry parameter. If the parameter already exists, the value does not change;
- Update (default) — if the parameter already exists, its value will be updated with the specified in the GPP. If not, a parameter with the specified value will be created;
- Replace — if the registry item already exists, deletes and recreates the registry item (rarely used). If the reg key or value does not exist, a new registry entry will be created. If the target item is a registry key, this option will remove all parameters and subkeys, leaving only a default value name with no data. If the target item is a registry value, the Replace action will overwrite any existing settings;
- Delete — removes a registry key and all of its values and subkeys.
There are many useful options on the Common tab:
- Run in logged-on user’s security context — the registry parameter is created in the context of the current user. If you check this option, the parameter will be created with the current user permissions. If the user doesn’t have local admin permissions, the policy will be applied only to the HKEY_CURRENT_USER hive. But not to the HKEY_LOCAL_MACHINE;
- Remove this item when it is no longer applied — if you unlink GPO from the AD container, the changed registry settings will return to their initial state;
- Apply once and do not reapply — apply the policy for each computer only once;
- Item-level targeting — can be used to target registry settings via GPP based on computer settings, and/or AD group membership at a granular level.
The final report with policy settings in the GPMC console looks like this:
Note. In Windows XP and Windows Server 2003, the GPP section is absent. To add it to the OS, you have to install the KB943729 update (client-side extensions for Group Policy).
How to Delete Registry Entry Using the Group Policy Preferences?
You can also use GP Preferences to remove a specific key or registry entry on computers in a domain.
For example, you want to delete a certain parameter in the registry key HKEY_CURRENT_USER.
- Create a new registry GPP entry in the section User Configuration > Preferences > Windows Settings > Registry;
- Use the Registry Browser to select a parameter or key;
- Expand the registry key in the GPO console. Open the parameter properties, and change the Action to Delete;
- Save the changes;
- Now, after updating the group policy settings on clients, the specified parameter will be deleted from the user’s registry hive.
Tip. If you receive Network Path not found error when viewing the registry of a remote computer using Registry Browse, check if the specified computer is accessible over the network. Also, check if the Remote Registry service is running (this service is disabled by default). If not, use the Services console (services.msc) to start the service.
Or you can remotely check service status and enable it using the following PowerShell commands:
$remoteservice=get-service RemoteRegistry -ComputerName PC2212ba $remoteservice| Set-Service -StartupType Manual $remoteservice| start-service
How to Deploy a Reg File on Domain Computers Using GPO?
Let’s consider another scenario that can be used when you need to deploy a reg file with a large number of registry settings to all computers in the domain. Instead of creating individual registry settings manually in the GPP editor, you can import the reg file with the settings via the GPO startup script.
- Export the registry key contents on the reference computer to a reg file. To do this, start the registry editor (regedit.exe), right-click on the registry key, and select Export. Specify the name of the file you want to save the contents of the registry key;
- You can open this reg file with any text editor and edit it manually. Remove empty registry key, edit parameter values (if necessary), and add new keys or parameters;
- Start the Group Policy Management console, create a new GPO and link it to the OU with computers (if you want to apply the parameters from the HKLM registry hive);
- Go to the following GPO section: Computer Configuration > Windows Settings > Scripts > Logon;
- Click the Add button to add a new Startup script.
- In the next window, click on the Browse button and copy your reg file to this directory (\\domain-name\Sysvol\domain-name\Policies\…);
- Specify the following parameters of the logon script:
Script Name: regedit.exe Script Parameters: /s your_reg_file.reg
- Save changes to the policy;
- Registry settings from your reg file will be applied on all computers in the specified OU after reboot.
Assigning Registry Key Permissions via Group Policy
Also, you can assign permissions (ACLs) to registry keys using Windows Group Policy. This feature may be useful when you grant a user permission to system-protected registry keys or want to prevent non-administrator users from changing certain registry keys.
- Create a new GPO or edit an existing one;
- Expand the following Group Policy section: Computer Configuration > Windows Settings > Security Settings > Registry;
- Right-click in the right pane and select Add key;
- Use the built-in Registry Browser to select the local registry key you want to assign an ACL to. If you want to set permissions for a registry key that is missing on current computer, you will need to install the GPMC snap-in and edit the GPO from the computer that has this key;
- The Database Security for <KeyName> dialog will open. Here you can change the ACL for this registry key. In our case, we granted Full Control (Read + Write + Change) permissions to the Chrome registry key for the caWKSPowerUsers Active Directory group. By default, this ACL is not inherited to nested subkeys. If you want to enable permission inheritance, click the Advanced > Enable Inheritance button;
- Save changes by clicking OK. You will see the Template Security Policy Settings dialog window. Here you can force your ACL to apply to all subkeys of the target key (Propagate inheritable permissions to all subkeys) or force new ACL only to subkeys that inherit from the target key (Replace existing permissions on all subkeys with inheritable permission). Or, you can enable the “Do not allow permissions on this key to be replaced” option to prevent editing ACL on this reg entry;
- Close the GPO editor window. Registry permissions will be applied the next time you restart target client computers.