In this article, we will look at how to use Group Policy (GPO) to centrally create, modify, import and delete any registry keys on domain-joined computers.
There was no built-in feature to manage registry parameters in classic GPOs. Therefore, administrators had to create their own administrative .adm/.admx templates or bat files for Logon scripts (.reg file is imported using the reg import command) for centralized management of registry keys and parameters via GPO.
In Windows Server 2008, Microsoft released a group policy extension called Group Policy Preferences (GPP). A special section has appeared in Group Policy console, which allows the administrators to configure (create / edit / delete) any registry parameter or key and deploy this setting to all domain computers. Let’s deal with these features in detail.
Suppose you want to disable via registry the automatic driver update on computers in a specific AD domain organizational unit (OU) by changing the value of the SearchOrderConfig parameter in the reg key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionDriverSearching. There are two ways to set a register parameter on target computers: using a remote registry browser integrated into the GPP console or manually by specifying the path to the registry key, parameter name and value.
Remote Registry Browser in GPO
Let’s dwell on the first way to begin with:
- Open the Group Policy Management console (gpmc.msc);
- Create a new (or edit the existing) GPO, link it to the necessary container (OU) in AD with the computers (or users) on which you want to deploy the registry key and go to the policy edit mode;
- Expand the GPO section Computer (or User) Configuration -> Preferences -> Windows Settings -> Registry and select New -> Registry Wizard in the context menu;
- The Registry Wizard allows you to connect to the registry on a remote computer and select the existing registry key;
- Specify the remote computer name you want to connect to;Note. If the error The network path was not found appears when you try to connect to a computer through the Registry Browser, most likely this remote computer is turned off, access to it is blocked by a firewall or Remote Registry service is not started on it.To start the service manually, run these commands on the remote computer:
sc config remoteregistry start= demand
net start remoteregistry - Using the Remote Registry browser, select all the registry parameters that you want to deploy through the GPO;Note. This browser allows you to select only reg keys from the hives HKEY_LOCAL_MACHINE and HKEY_USERS on a remote computer. If you need to set the keys contained in other registry hives, you need to install RSAT on the remote computer. Then run the gpmc.msc console on this computer and use the same procedure to select the required registry keys.
- In our example I want to import only one registry parameter to the GPP — SearchOrderConfig;
- The specified registry entry is imported into the GPP console along with the reg path (a registry tree has appeared in the group policy console) and current value (0). In the future, you can change its value and the desired action (this will be considered further);
- Thus, you have created a group policy to deploy your registry key. The next time Group Policy settings are updated on target computers, the value of the SearchOrderConfig registry key on them will change to 0 (if the policy doesn’t apply on the client, you can use GPResult tool for diagnostics).
If this GPO is removed, unlinked from the AD container, the target computer is moved to another OU, the value of the registry parameter won’t return to its original (default) value (as in the case with the usual GPO policy settings).
How to Manually Create/Edit a Registry Key using Group Policy?
You can create, edit or remove the value of the specific registry parameter using GPP by specifying the registry key path and value manually.
- To do it, select Registry -> New -> Registry Item;
- Fill the following fields in accordance with the data of the registry parameter that you want to change: Hive, Key Path, Value Name, Value type, Value data;
- By default, the registry setting that is configured through the GPO is set to the Update mode.
4 types of actions are available in GPO for registry keys:
- Create – creates a registry key. If the parameter already exists, its value is not changed;
- Update (by default) – updates the value of an existing parameter according to the GPP. If the registry parameter doesn’t exist, it will be created automatically (as well as the registry key in which it should be located);
- Replace – deletes and recreates the registry item anew (rarely used);
- Delete – deletes a reg key.
There is a number of other useful features in the Common tab:
- Run in logged-on user’s security context (user policy option) — a registry key is created only in the current user context (it is possible only for GPP in the user section of the GPO). If a user doesn’t have the administrator privileges, he won’t be able to write anything to the protected system registry keys;
- Remove this item when it is no longer applied – if the policy is no longer applicable to a client, the key is automatically deleted;
- Apply once and do not reapply – a policy is applied to a client (user or computer) only once. Later it won’t be reapplied. If after applying the GPO, the user manually changes the value of the registry parameter, the policy won’t override its value on the next policy update cycle;
- Item-level targeting – the opportunity of more accurately policy targeting on the clients (you can target the policy to a specific IP, subnet, computer name, computers with certain characteristics, i.e. you can configure policy enforcement similar to the GPO WMI filters). For example, you can specify that the registry parameter should be applied to computers running Windows Server 2012 R2 in the AD OU named Servers.
Here’s how the final policy settings look in the GPMC console (Settings tab).
Import .reg file into GPO
The GPP allows the administrator to easily import a .reg file into Group Policy with several registry settings. But to do this, the reg file must be converted to the XML format (Group Policy Editor allows you to import files only in XML format).
For example, you have a reference computer on which some settings are configured through the registry. You can export these settings to a REG file by right-clicking on the reg key name in the regedit.exe and selecting Export.
Save the registry key settings to the reg file.
If your reg file contains data from different registry hives (HKLM, HKCU, HK_CLASSES), you need to divide them into separate reg files.
Next, you need to convert this REG file to the XML format. You can convert reg -> xml using the online service https://www.runecasters.com.au/reg2gpp or with the PowerShell script RegToXML.ps1 — https://gallery.technet.microsoft.com/scriptcenter/Registry-To-GroupPolicyPref-9feae9a3.
The resulting XML file must be copied in the File Explorer and pasted to the Registry section in the Group Policy editor.
As a result, all registry settings that you imported will appear in the Group Policy console and will be applied to the target computers in the domain.
