registry keys gpo

Add, modify and delete Registry keys using Group Policy

The settings of most applications and a lot of Windows features do not require centralized management by using Group Policy (GPO). But you have to know, that you can customize their settings through the registry. In this article, we will show you how to use Group Policy to manage, add, modify and delete registry keys across a domain.

Normally Group Policy does not require the built-in possibility to manage arbitrary registry keys. So administrators had to use labor-intensive methods such as creating their own administrative GPO templates (.adm/.admx) or scenarios for the Logon scripts.

In Windows Server 2008 Microsoft introduced a Group Policy extension – Group Policy Preferences (GPP). GPP including registry settings, which allows you to add, remove or modify key values. Let’s review these possibilities in detail.

Let’s say we need to disable automatic drivers updating on all PCs in a particular OU. We have to modify SearchOrderConfig key in the registry branch


There are two options for specifying the registry key on the target PCs: with the built-in console GPP registry browser on the remote PCs or manually, by specifying the branch and the key.

Consider the first method:

  1. Open Group Policy Management Console (gpmc.msc)
  2. Create a new (or edit an existing) GPO and assign it to the appropriate Active Directory Organizational Unit. After that switch it to edit mode
  3. Expand GPO Computer (or User) Configuration -> Preferences ->Windows Settings -> Registry in the context menu. Select New -> Registry Wizard
    registry wizard
  4. Registry Wizard allows you to connect to the registry on the remote machine and select the existing registry key
  5. Specify the remote computer to connect to it and select an existing key/registry branch
    registry browser
  6. Using the browser, select the remote registry key or registry keys that you want to set via GPO
  7. In our example, we want to import into the GPP the only one key – SearchOrderConfig
  8. This key is imported into the GPP console. You can change its value and the desired action (look below)
    gpo management editor
  9. The creation of the GPP policy is completed. After a while, this key will be created on all domain computers

Let’s consider the second method:

  1. Select New > Registry Item
    registry item
  2. In the following fields (Hive, Key path, Value type, Value data) you have to specify the registry section, registry branch, name, type and value of the key
    registry properties
  3. As a default, set the key in the Update mode.

There is 4 types of operation with the keys:

registry keys options

  • Create – creates a registry key. If the parameter already exists, the value does not change
  • Update (default) – If the parameter already exists, its value is updating in accordance with the specified in the GPP. If not – it is creating
  • Replace – if the registry element already exists, it is deleting and re-creating (rarely used)
  • Delete – the key is removing

There are a number of useful options on the Common tab:

registry properties common

  • Run in logged-on user’s security context – the key is creating in the context of the current user. In that case, if the user does not have administrator rights – you will not be able to write it in the system branches.
  • Remove this item when it is no longer applied – if the policy ceases to act on the client, the key is automatically removing.
  • Apply once and do not reapply – the policy for each PC is using only once.
  • Item-level targeting – more precise targeting of policies to customers.

The final report with policy settings in the GPMC console looks like this.

registry report

Note. In Windows XP and Windows Server 2003 the GPP section is absent. To add it to the OS, you have to install the KB943729 update (client-side extensions for Group Policy).

You may also like:

How to Allow Saved Credentials for RDP Connection When you are connecting to remote system using native Microsoft RDP client (mstsc.exe), you have the ability to save login credentials in order to not...
Deploy LGPO with MDT 2013 Local Group Policy (LGPO) of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That...
Restore Windows 10 Registry from Backup using Comm... When Windows 10 have some problems with registry files/settings (in case of corruption, accidental deletion etc.), the system offers a simple way to r...
Configuring GPO Proxy Settings for Internet Explor... The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of I...
Configure NTP Time Sync Using Group Policy The Windows Time service (despite its apparent simplicity) is the basis for the normal functioning of Active Directory domain. In properly configured ...
  1. Posted by DThomas
  2. Posted by Ali
    • Posted by PJ
  3. Posted by Keith

Add Your Comment