distribute .reg file with Group Policy

[Guest]

I am having some difficulty pushing out a .reg file in a startup script. It
seems to only work sporatically, or not at all. Can someone help me with
troubleshooting ideas?

thanks.

 

[Mark Heitbrink [MVP]]

I am having some difficulty pushing out a .reg file in a startup script. It
seems to only work sporatically, or not at all. Can someone help me with
troubleshooting ideas?

convert it to an ADM template.

common problems with .reg files:
- no permissions to add a HKLM entry as a user
- script runs async. the import happens too late, e.g. if
you manipulate the explorer, the program starts prior
script finishes.

Solutions:
- make users local admins ... argh, don´t do that! Just kidding.
- compconf\admtmepl\system\scripts
"Run Scrpts synchronously"

Or just use an ADM template.

Mark

 

[Guest]

thanks for the suggestion with the ADM template. If I am trying to update
the registry HKLM\software\microsoft\office\11.0\outlook with a new dword,
what is the syntax for the adm?

 

[Mark Heitbrink [MVP]]

Hi,

thanks for the suggestion with the ADM template. If I am trying to update
the registry HKLM\software\microsoft\office\11.0\outlook with a new dword,
what is the syntax for the adm?

http://www.oreilly.de/catalog/winsyspe/chapter/ch08.html

can look like this:

CLASS MACHINE

CATEGORY "Outlook Configuration"
KEYNAME "software\microsoft\office\11.0\outlook"
POLICY "What ever you want to do, with this policy"
VALUENAME "yourDWord"
VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
; or: on=0 and off=1, or: off=DELETE
END POLICY
END CATEGORY

Mark

 

[Jerold Schulman]

If you would rather just push the registry entries, see
tip 9808 » PolicyMaker™ Registry Extension freeware.
in the 'Tips & Tricks' at http://www.jsifaq.com

thanks for the suggestion with the ADM template. If I am trying to update
the registry HKLM\software\microsoft\office\11.0\outlook with a new dword,
what is the syntax for the adm?

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com

 

[Guest]

Hi,

I do this all the time. Works like a Charm.

Put the .reg file in the NETLOGON share. Have a Batch File as a Startup
Script. In the batch file type

regedit /s \\server\netlogon\file.reg

I have about 50 that always work.

Cheers,
Lara

 

[Mark Heitbrink [MVP]]

Hi,

I do this all the time. Works like a Charm.
Put the .reg file in the NETLOGON share. Have a Batch File as a Startup
Script. In the batch file type
regedit /s \\server\netlogon\file.reg
I have about 50 that always work.

Because:
- non is editing the HKLM Hive
or
- every user in your network ahs the permission to write to
HKLM (Power User or local Admin) or manual define permissions
vie GPO -> Registry
- the User is allowed to edit the registry in general

Deploying *.reg files in a login script or startup script
can cause failures, there is no general way to say "it always work".

Thats why I recomend to avoid them.

Mark

 

[Gerry Hickman]

Hi

I do this all the time. Works like a Charm.

Put the .reg file in the NETLOGON share. Have a Batch File as a Startup
Script. In the batch file type

regedit /s \\server\netlogon\file.reg

I have about 50 that always work.

Your network security probably isn't very good in that case - note he
says he wants to deploy HKLM.

 

[Gerry Hickman]

Hi,

If I'm doing HKLM, I usually just do it overnight using WMI as I don't
like Machine policies, but there's one advantage to Machine policies -
they will also be applied to newly built machines automatically.

 

[Guest]

Hi,

Actually, IF you are deploying it as a Logon Script, it will only work with
the HKLUser Key. IF you deploy it as a Startup Script it WILL modify the
HKLMachine key with absolutely no problems because it uses the SYSTEM account
and not a local user account. I again have about these batch files-reg files
that do everything from turning the Numlock Key on to setting the Desktop
behind the CTRL-ALT-Del sign to adding registry keys for Applications that
need specific keys modified.

I also use VBScript files to Modify the Registry but they won't work
reliably as Start-up Scripts. The reason that VBScript won't work is simply
because the VBScript engine doesn't load until after the startup scripts.
That is why VBScript Startup scripts are unreliable. I use VBScripts soley
for logon scripts.

I have been a network Admin since Windows NT 3.x Back in those days there
was no such thing as Group Policy and everything had to be done manually so I
scripted pretty much everything with BATCH files.

There is a way to "hack" the registry of local computers using Group Policy.
I use it rarely though. It is in the Local Settings - Registry. Currently I
only use it to set permissions on the Security Tab so my users cannot see the
Security Tab in the properties and set file permissions.

Cheers,
Lara

 

[Guest]

Hi Gerry,

Actually, My security is about as tight as you can get it. All my users have
Mandatory Profiles and I have 3000 users who only have "Read" access to the
entire HD of the workstation. I use a XCacls.vbs script to strip all the
"Default" write permissions that are default with Windows XP and give
Users=Read. I then lock them down with Group Policies as well.

If you will read my post, you will notice that I said "Startup" Script, not
Logon Script. Logon Scripts run under the security of the User. Startup
Scripts run under the Security of the SYSTEM account. As long as SYSTEM=Full
Control (default) on the Registry keys the Startup Scripts will run fine.

If this weren't the case than Software Installation wouldn't work and
neither would anything else that runs on startup =).

Give it a shot. The easiest one to test is the Numlock = on key.

Cheers,
Lara

 

[Gerry Hickman]

Hi Lara,

Sorry I misread the post. I saw the word NETLOGON and assumed "logon
scripts"! Now I can see it says "startup" which (as you say) is completely
different.

 

[Mark Heitbrink [MVP]]

Hi,

[...] and everything had to be done manually so I
scripted pretty much everything with BATCH files.

I love batch aswell, but at the time I learned adm Templates in
NT4 I always try to convert reg to adm. I like the GUI.

At least we can say: No one needs Group Policy. Everything can be
done in a script. ;-)

Mark

 

[Guest]

I love batch aswell, but at the time I learned adm Templates in
NT4 I always try to convert reg to adm. I like the GUI.

Yes, I loved creating my own ADM's for NT 4. I had quite a lot that worked
well. However, when I switched to Windows 2000 I found that they weren't
reliable anymore. Any ADM's that "messed" directly with the registery weren't
liked very much by Windows 2000. I found that if I wrote ones that put the
settings in the "policies" folder (like all the Windows 2000 ADMS) they would
run only sometimes or would change the registry but not have the desired
affect.

For example my Numlock = On at the Ctrl-Alt-Del or for users would put the
correct "2" in the registry but the Numlock key would still stay off. I
think because the registry key 2 had to be there "before" the group policies
actually loaded. I found that and the Bitmapped Wallpaper were just better
to use the Reg keys because the policies were not reliable.

Now I usually just modify the system.adm itself if I want to add a few
settings. However, there are rarely any I want to add. I have Mandatory
Profiles so often I just modify the profile directly by "loading" the hive
rather than creating a Policy.

Cheers,
Lara

Hi,

[...] and everything had to be done manually so I
scripted pretty much everything with BATCH files.

I love batch aswell, but at the time I learned adm Templates in
NT4 I always try to convert reg to adm. I like the GUI.

At least we can say: No one needs Group Policy. Everything can be
done in a script. ;-)

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

 

[maverick]

hello, jumping in the middle here. i tried your suggestion and .reg
file distribution works perfectly! i've been trying to find out how to
distribute IE-ADS.reg centrally and your post is timely.

however, what is the purpose of storing the .reg file in the NETLOGON
share? could it also be stored in the same location together with the
startup script?

 

[Guest]

Hi,

I have always found in the past that logon or startup scripts don't run
properly if anywhere but in the Netlogon Share so I have always had them
there. However, maybe that has changed with 2003 Server. I know with 2000
that I had problems getting them to run from just a UNC path to another
location so I just kept them all in one location in the netlogon share. The
Netlogon Share is replicated across all DC's while other shares aren't.

I have been administering my network since it was NT 3.x so I guess old
habits die hard. Try them in another share. If the startup scripts work from
there then the reg file should work just fine.

Cheers,
Lara