A couple of things here "name"... First off there are a couple of different
ways to manage registry setting via Group Policy and they will almost always
come down to custom .adm templates, scripts or a Client Side Extension. .ADM
templates are pretty easy but a bit convoluted and they simply add the
registry setting to the editor in Group Policy and allow you to manage it.
The setting needs to be conversted to a .adm file and then loaded into the
GPOE and then managed on the GPO itself.
Second, you can write a script. There is a lot of registry functionality
that can be accessed through WSH the written into a VBScript or JScript and
deployed through a logon,logoff or startup,shutdown script (depending on
what you are tyring to do).
The Client Side Extension is the way to go and is truly Group Policy. We
offer our registry Client Side Extension free of charge. Fully free. What it
does is put into the GPOE (object editor) an extension to expose the
management capabilities of the registry (in very simple terms). You can
Create, Replace, Update or Delete registry keys, values etc. and you simply
have to drill down to the key in question and put in the value and it will
be deployed to everyone who falls into the scope of the GPO. Very easy UI to
find registry keys etc. Additionally all AutoProf CSEs have a filter control
that has about 25+ settings that can be applied to each policy.
For example, imagine you have some issues with AD replication. There is a
diagnostic value called 'Replication Events' that can be turned on the
capture replication issues. These NTDS diagnostics are stored in
HKLM\CCS\System\NTDS\Diagnostics and the value is "5 Replication Events'. If
the data is a 0 there is no logging and a 5 is a ton of logging. I believe
only odd numbers are valid but can't remember. Anyway, I want to turn
diagnostics up to a level 3 for the domain controllers which are having
issues. I can go to the Domain Controllers OU and create a new GPO or simply
create an unlinked GPO with GPMC and drill down to 'User Settings' (we add
this node) Registry and with the UI drill to the key
HKLM\CCS\System\NTDS\Diagnostics choose Create, Replace, Update, or Delete
and the value. Then I can add the filter to this reg key which can specify,
for example "apply this registry value data to every system this GPO is
applicable to that are within one of these three IP subnets". Then link the
GPO to the target container, in this case the Domain Controllers OU. Collect
data for a couple of house and then in the same setting change to Update and
set the data back to 0. The next Group Policy refresh cycle the logging
setting will reset.
The last thing to mention related to your original note is that Group
Policies are not applied to groups. They are applied to users and computers
that fall within the scope of the GPO (AD hierarchy). AutoProf solutions do
have a 'security group' filter item but the actual target objects need to be
in the path of the GPO.
If interested email me offline and I can walk you through this. I am working
on an evaluator's guide/quick start guide that will be available on our site
shortly.
Kevin Sullivan
(e-mail address removed)
AutoProf...
