Installing registry hack on multiple PCs ?

[John]

We'd like to modify the registry on multiple PCs on our Win2000 domain.

What's the easiest way to accomplish this ? Scripting ? Third-party software
to push out the .reg file and run it locally ? Group policy ? Resource Kit
?

Any useful suggestion much appreciated.

 

[Pegasus \(MVP\)]

We'd like to modify the registry on multiple PCs on our Win2000 domain.

What's the easiest way to accomplish this ? Scripting ? Third-party software
to push out the .reg file and run it locally ? Group policy ? Resource Kit
?

Any useful suggestion much appreciated.

The simplest way would be to include this command in
your netlogon batch file:

regedit /s \\YourServer\netlogon\sample.reg

You may need to check your permissions.

 

[David H. Lipman]

From: "John" <[email protected]>

| We'd like to modify the registry on multiple PCs on our Win2000 domain.
|
| What's the easiest way to accomplish this ? Scripting ? Third-party software
| to push out the .reg file and run it locally ? Group policy ? Resource Kit
| ?
|
| Any useful suggestion much appreciated.
|

Via the login script such as...

regedit /s fixRegistry.reg

 

[John]

You mean using a logon script ?

 

[Pegasus \(MVP\)]

Yes.

You mean using a logon script ?

 

[John]

I created the login script, associated it with the user, logged on as the
user, but then immediately got the following error:

*Registry Editor*

Cannot import disablePST.reg : not all data was succesfully written to the
registry. Some keys are open by the system or other processes.

 

[David H. Lipman]

From: "John" <[email protected]>

| I created the login script, associated it with the user, logged on as the
| user, but then immediately got the following error:
|
| *Registry Editor*
|
| Cannot import disablePST.reg : not all data was succesfully written to the
| registry. Some keys are open by the system or other processes.
|
| -----------
|
| Needless to say the desired change did not take effect. Since the user had
| no local admin rights, could that be the cause ? If that's what it is, I
| don't see how it will work for the regular domain users.

Have you tried...

RUNAS [/profile] [/env] [/netonly] /user:<UserName> regedit /s fixRegistry.reg


http://www.microsoft.com/windows200...nced/help/windows_security_runas_shortcut.htm

 

[Pegasus \(MVP\)]

I mentioned in my first reply that you may have to check if
your users have sufficient access rights to make the change.
If this is not the case then you can implement the change as
an administrator from your own workstation, using psexec.exe
(www.sysinternals.com).

 

[John]

I modified the script to use RUNAS. Now the only problem is that it prompts
for the admin password in the command line window.

This, of course, defeats the purpose, because the user doesn't know the
admin password, and therefore the script won't run.

Otherwise, the script runs fine when I provide the correct password.

From: "John" <[email protected]>

| I created the login script, associated it with the user, logged on as the
| user, but then immediately got the following error:
|
| *Registry Editor*
|
| Cannot import disablePST.reg : not all data was succesfully written to the
| registry. Some keys are open by the system or other processes.
|
| -----------
|
| Needless to say the desired change did not take effect. Since the user had
| no local admin rights, could that be the cause ? If that's what it is, I
| don't see how it will work for the regular domain users.

Have you tried...

RUNAS [/profile] [/env] [/netonly] /user:<UserName> regedit /s fixRegistry.reghttp://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/windows_security_runas_shortcut.htm

 

[David H. Lipman]

From: "John" <[email protected]>

| I modified the script to use RUNAS. Now the only problem is that it prompts
| for the admin password in the command line window.
|
| This, of course, defeats the purpose, because the user doesn't know the
| admin password, and therefore the script won't run.
|
| Otherwise, the script runs fine when I provide the correct password.
|

I was afraid of that !

Sorry, I am out of ideas. :-(

 

[Pegasus \(MVP\)]

If you're prepared to violate basic security principles
then you can use sanur.exe. It lets you pipe a password
into the command.
http://www.commandline.co.uk/sanur/

I modified the script to use RUNAS. Now the only problem is that it prompts
for the admin password in the command line window.

This, of course, defeats the purpose, because the user doesn't know the
admin password, and therefore the script won't run.

Otherwise, the script runs fine when I provide the correct password.

From: "John" <[email protected]>

| I created the login script, associated it with the user, logged on as the
| user, but then immediately got the following error:
|
| *Registry Editor*
|
| Cannot import disablePST.reg : not all data was succesfully written to the
| registry. Some keys are open by the system or other processes.
|
| -----------
|
| Needless to say the desired change did not take effect. Since the user had
| no local admin rights, could that be the cause ? If that's what it is, I
| don't see how it will work for the regular domain users.

Have you tried...

RUNAS [/profile] [/env] [/netonly] /user:<UserName> regedit /s fixRegistry.reg

http://www.microsoft.com/windows200...nced/help/windows_security_runas_shortcut.htm

 

[Jerold Schulman]

We'd like to modify the registry on multiple PCs on our Win2000 domain.

What's the easiest way to accomplish this ? Scripting ? Third-party software
to push out the .reg file and run it locally ? Group policy ? Resource Kit
?

Any useful suggestion much appreciated.

See tip 9808 » PolicyMaker™ Registry Extension freeware.
in the 'Tips & Tricks' at http://www.jsifaq.com

or see tip 9091 » LSRunAsE is a donationware RunAs utility with an encrypted password.



Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com

 

[Guest]

We'd like to modify the registry on multiple PCs on our Win2000 domain.

What's the easiest way to accomplish this ? Scripting ? Third-party software
to push out the .reg file and run it locally ? Group policy ? Resource Kit
?

Any useful suggestion much appreciated.

An alternative to a logon script would be to place the command in a
Group Policy startup script.

Startup scripts usually have more rights to certain HKLM registry keys
as they run under the system account.

HTH

Ha®®y

(e-mail address removed)

 

[Fran]

You can take the expensive way out and buy PolicyMaker from
DesktopStandard. A more rewarding way might be to understand how to
create your own admin templates:

http://support.microsoft.com/?kbid=323639

This is for Windows 2000 but the same technique applies to Windows
2003. This is a way to extend Group Policy items to include your
registry hacks.

-Fran-

 

[Eric Voskuil \(MVP\)]

Fran,

PolicyMaker Registry Extension is entirely free:

http://www.desktopstandard.com/policymaker/re

Regards,

Eric

 

[Fran]

Thanks, Eric. I didn't know that. I was referring to PolicyMaker.

 

[Fran]

Sanur no longer exists. The program is now CPAU.

http://www.joeware.net/win/free/tools/cpau.htm


However, all of these are bad approaches if you're trying to keep your
systems secure. While CPAU allows you to save the script as an
encrypted file and load it (it does work well, by the way) it's not
the right approach for registry hacks on client machines.

I published a link in this thread about creating adm templates.
There's a good article at TechNet about creating administrative
template files and using them to extend group policy items. Worthy
reading!

-Fran-

 

[Eric Voskuil \(MVP\)]

My pleasure Fran. PolicyMaker is a line of products currently consisting of
24 various extensions to Group Policy. You were probably thinking of the
PolicyMaker Standard Edition (PMSE) package of 21 extensions, which includes
the Registry Extension. Even in PMSE, the Registry Extension operates
independently of the others and is completely free. It's actually the same
extension as the single one included in the PolicyMaker Registry Extension
(PMRE) free product.

You probably know all of this, but for those who are looking to solve this
problem...

The security and management model is exactly the same as with ADM
temaplates, but instead of editing templates, you are simply browsing to to
settings, either locally or remotely, can access any registry type and
location, filter each individual setting using any combination of 25
graphical filters, generate and embed variables into values, enable/disable
tatooing, document each setting in the policy, export and import settings
to/from XML using drag and drop, RSoP planning and logging fully supported,
and it's integrated with GPMC backup and restore (and the free GPOVault
change control extension to GPMC).

There's really no reason to ever hack an ADM template again, but I must
admit I am a little biased.

Best,

Eric

 

[Fran]

What I saw in the demo was truly nice! Without a doubt some wonderful
features in PMSE!

However, there are two reasons I can think of to hack ADM templates:
1) Experience. The more you work with these the better you know how
to extend the functionality of the OS. True it's somewhat involved but
once you know it you can do anything ANYWHERE
2) Cost: I handle many clients (subcontracted LAN admin.) so I don't
have the luxury of purchasing and installing and using PMSE on most of
my client's networks.

I like these types of tools but it's always best to know the OS's
flavor of tools, too, so you're not out in the cold when you don't
hvae the luxury of using these third party ones.

 

[Guest]

I have installed Policy Maker Reg. extn on my test machine. Upon reading the
document it says I have to distribute polregcl.msi (CSE) package to all the
clients. In my hcase I have few thousands. My question is, is there a way
to implement a registry change without insalling a client program on all
clients ?

Anyone successful in creating the adm to disable PST option in Outlook v200x.

Thanks