Local Policy Update Using Remote Registry Edit

[Guest]

I'm trying to remotely add an IP address to the Remote Administration
settings [domain/local] on several Windows XP XP2 [with firewall enabled] on
my network so I can make some remote adjustments to the Windows firewall
using "netsh" to ultimately run an install executable for a new AV software
agent. I found what I believe to be the appropriate Registry keys associated
with these network settings [see below] and have been able to remotely update
the Registry, but this hasn't updated the local policy on the computer. I've
tried performing an "gpupdate" and rebooting the system. Obviously I'm
missing something or there are additional Registry keys that need to be
edited or some other mechanism to update the local policy by editing the
Registry unless this is a unidirectional process [e.g. local policy edit ->
Registry change only, not vice-versa]. I'm trying to avoid having to locally
edit each workstation to make these changes, which brings up a few questions:

1) Is there a way to remotely edit the local group policy of a Windows XP
computer remotely over the network [without AD]?

2) Will remote editing of the Registry alter the local group policy of a
machine and if so how is this accomplished?

Your suggestions are greatly appreciated...

Bob

P.S. Here are the Registry keys I edited:

Domain Policy

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!RemoteAddresses

Local Policy

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!RemoteAddresses

 

[Steven L Umbach]

Keep in mind that domain profile settings apply only when domain computer
are connected to a network where they can find and access a domain
controller. You can edit local Group Policy remotely by selecting the mmc
snapin for Group Policy and selecting - another computer. Of course you
need to be a local administrator on the computer you want to do this to. I
find it always best to edit Group Policy instead of registry settings. You
can edit a registry setting [it does NOT edit Group Policy] and it should
work until the computer reapplies it's Group Policy settings if that setting
is defined. Group Policy administrative template registry settings are
stored in the \Windows\system32\grouppolicy\user or machine\registry.pol
file.

Steve

 

[Guest]

Steve:

Thanks for your reply, but I think I'm still missing something...

When I open the "gpedit.msc" MMC on my administrative workstation, I don't
see any options for connecting to a remote computer. Are there some
additional things that need to be done with the configurational settings of
this MMC to establish connectivity with remote systems? I've also not found
a way to run "gpedit.msc" MMC directly from the remote machine without using
remote desktop, which requires the user to be logged off. There seems to be
a very limited set of command line functionality with "gpedit.msc" that
doesn't include anyway to update local policy settings via the command line
[that I've seen].

Bob
--
Robert Lindholm
University of Rcohester

Keep in mind that domain profile settings apply only when domain computer
are connected to a network where they can find and access a domain
controller. You can edit local Group Policy remotely by selecting the mmc
snapin for Group Policy and selecting - another computer. Of course you
need to be a local administrator on the computer you want to do this to. I
find it always best to edit Group Policy instead of registry settings. You
can edit a registry setting [it does NOT edit Group Policy] and it should
work until the computer reapplies it's Group Policy settings if that setting
is defined. Group Policy administrative template registry settings are
stored in the \Windows\system32\grouppolicy\user or machine\registry.pol
file.

Steve

I'm trying to remotely add an IP address to the Remote Administration
settings [domain/local] on several Windows XP XP2 [with firewall enabled]
on
my network so I can make some remote adjustments to the Windows firewall
using "netsh" to ultimately run an install executable for a new AV
software
agent. I found what I believe to be the appropriate Registry keys
associated
with these network settings [see below] and have been able to remotely
update
the Registry, but this hasn't updated the local policy on the computer.
I've
tried performing an "gpupdate" and rebooting the system. Obviously I'm
missing something or there are additional Registry keys that need to be
edited or some other mechanism to update the local policy by editing the
Registry unless this is a unidirectional process [e.g. local policy
edit ->
Registry change only, not vice-versa]. I'm trying to avoid having to
locally
edit each workstation to make these changes, which brings up a few
questions:

1) Is there a way to remotely edit the local group policy of a Windows XP
computer remotely over the network [without AD]?

2) Will remote editing of the Registry alter the local group policy of a
machine and if so how is this accomplished?

Your suggestions are greatly appreciated...

Bob

P.S. Here are the Registry keys I edited:

Domain Policy

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!RemoteAddresses

Local Policy

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!RemoteAddresses

 

[Steven L Umbach]

Hi Robert.

Try this. Open mmc console and select file - add/remove snapin. Then select
add - Group Policy add. Then select browse and you should see the option for
another computer where you can browse My Net work Places or add the computer
name or IP address. Assuming you have the proper network connectivity and
permissions on the other computer you should then be able to edit it's local
Group Policy. The remote computer would need to have the Windows Firewall
Exception for either file and print sharing and/or Remote Management from
the IP of your workstation.

Steve

Steve:

Thanks for your reply, but I think I'm still missing something...

When I open the "gpedit.msc" MMC on my administrative workstation, I don't
see any options for connecting to a remote computer. Are there some
additional things that need to be done with the configurational settings
of
this MMC to establish connectivity with remote systems? I've also not
found
a way to run "gpedit.msc" MMC directly from the remote machine without
using
remote desktop, which requires the user to be logged off. There seems to
be
a very limited set of command line functionality with "gpedit.msc" that
doesn't include anyway to update local policy settings via the command
line
[that I've seen].

Bob
--
Robert Lindholm
University of Rcohester

Keep in mind that domain profile settings apply only when domain computer
are connected to a network where they can find and access a domain
controller. You can edit local Group Policy remotely by selecting the mmc
snapin for Group Policy and selecting - another computer. Of course you
need to be a local administrator on the computer you want to do this to.
I
find it always best to edit Group Policy instead of registry settings.
You
can edit a registry setting [it does NOT edit Group Policy] and it should
work until the computer reapplies it's Group Policy settings if that
setting
is defined. Group Policy administrative template registry settings are
stored in the \Windows\system32\grouppolicy\user or machine\registry.pol
file.

Steve

I'm trying to remotely add an IP address to the Remote Administration
settings [domain/local] on several Windows XP XP2 [with firewall
enabled]
on
my network so I can make some remote adjustments to the Windows
firewall
using "netsh" to ultimately run an install executable for a new AV
software
agent. I found what I believe to be the appropriate Registry keys
associated
with these network settings [see below] and have been able to remotely
update
the Registry, but this hasn't updated the local policy on the computer.
I've
tried performing an "gpupdate" and rebooting the system. Obviously I'm
missing something or there are additional Registry keys that need to be
edited or some other mechanism to update the local policy by editing
the
Registry unless this is a unidirectional process [e.g. local policy
edit ->
Registry change only, not vice-versa]. I'm trying to avoid having to
locally
edit each workstation to make these changes, which brings up a few
questions:

1) Is there a way to remotely edit the local group policy of a Windows
XP
computer remotely over the network [without AD]?

2) Will remote editing of the Registry alter the local group policy of
a
machine and if so how is this accomplished?

Your suggestions are greatly appreciated...

Bob

P.S. Here are the Registry keys I edited:

Domain Policy

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!RemoteAddresses

Local Policy

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!RemoteAddresses

 

[Guest]

Steve:

Unfortunately, I'm getting the following error message when I get to the
point of browsing the network within the MMC setup process:

Browse for a Group Policy Object
- The program cannot open the required dialogue box becuase no locations
can be found. Close this message and try again.

Note: This is a repeatable situation.

My administrative workstation and the remote desktop are both joined to the
domain [NT 4.0 not AD] and I have domain admin privilege, although I haven't
tried this process [yet] while logged in as the domain admin.

However, I can browse the network when setting up another MMC console [e.g.
Computer Management, Device Manager, etc.], so this looks like it may be
group policy specific.

Bob

P.S. Am I correct in assuming that I would need to setup an MMC console for
each remote desktop I want to edit group policy on [assuming I can get this
to work] using this scenario?
--
Robert Lindholm
University of Rcohester

Hi Robert.

Try this. Open mmc console and select file - add/remove snapin. Then select
add - Group Policy add. Then select browse and you should see the option for
another computer where you can browse My Net work Places or add the computer
name or IP address. Assuming you have the proper network connectivity and
permissions on the other computer you should then be able to edit it's local
Group Policy. The remote computer would need to have the Windows Firewall
Exception for either file and print sharing and/or Remote Management from
the IP of your workstation.

Steve

Steve:

Thanks for your reply, but I think I'm still missing something...

When I open the "gpedit.msc" MMC on my administrative workstation, I don't
see any options for connecting to a remote computer. Are there some
additional things that need to be done with the configurational settings
of
this MMC to establish connectivity with remote systems? I've also not
found
a way to run "gpedit.msc" MMC directly from the remote machine without
using
remote desktop, which requires the user to be logged off. There seems to
be
a very limited set of command line functionality with "gpedit.msc" that
doesn't include anyway to update local policy settings via the command
line
[that I've seen].

Bob
--
Robert Lindholm
University of Rcohester

Keep in mind that domain profile settings apply only when domain computer
are connected to a network where they can find and access a domain
controller. You can edit local Group Policy remotely by selecting the mmc
snapin for Group Policy and selecting - another computer. Of course you
need to be a local administrator on the computer you want to do this to.
I
find it always best to edit Group Policy instead of registry settings.
You
can edit a registry setting [it does NOT edit Group Policy] and it should
work until the computer reapplies it's Group Policy settings if that
setting
is defined. Group Policy administrative template registry settings are
stored in the \Windows\system32\grouppolicy\user or machine\registry.pol
file.

Steve


message I'm trying to remotely add an IP address to the Remote Administration
settings [domain/local] on several Windows XP XP2 [with firewall
enabled]
on
my network so I can make some remote adjustments to the Windows
firewall
using "netsh" to ultimately run an install executable for a new AV
software
agent. I found what I believe to be the appropriate Registry keys
associated
with these network settings [see below] and have been able to remotely
update
the Registry, but this hasn't updated the local policy on the computer.
I've
tried performing an "gpupdate" and rebooting the system. Obviously I'm
missing something or there are additional Registry keys that need to be
edited or some other mechanism to update the local policy by editing
the
Registry unless this is a unidirectional process [e.g. local policy
edit ->
Registry change only, not vice-versa]. I'm trying to avoid having to
locally
edit each workstation to make these changes, which brings up a few
questions:

1) Is there a way to remotely edit the local group policy of a Windows
XP
computer remotely over the network [without AD]?

2) Will remote editing of the Registry alter the local group policy of
a
machine and if so how is this accomplished?

Your suggestions are greatly appreciated...

Bob

P.S. Here are the Registry keys I edited:

Domain Policy

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!RemoteAddresses

Local Policy

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!RemoteAddresses

 

[Steven L Umbach]

What I would try is to specify the IP address of the computer you want to
try and manage if browsing does not work. And yes if it works you will need
to that for each computer. AD would make things a whole lot easier but
unfortunately you are not there yet. I don't know if this will help if GP
does not work as expected but you can use psexec from SysInternals/Microsoft
to access the command line of remote computers assuming you have proper
network connectivity. You may be able to figure out a way to use it for what
you need. Check it out at the link below and the syntax and capabilities of
it including it's ability to use @file to run commands on multiple
computers.

Steve

http://www.sysinternals.com/Utilities/PsExec.html

Steve:

Unfortunately, I'm getting the following error message when I get to the
point of browsing the network within the MMC setup process:

Browse for a Group Policy Object
- The program cannot open the required dialogue box becuase no locations
can be found. Close this message and try again.

Note: This is a repeatable situation.

My administrative workstation and the remote desktop are both joined to
the
domain [NT 4.0 not AD] and I have domain admin privilege, although I
haven't
tried this process [yet] while logged in as the domain admin.

However, I can browse the network when setting up another MMC console
[e.g.
Computer Management, Device Manager, etc.], so this looks like it may be
group policy specific.

Bob

P.S. Am I correct in assuming that I would need to setup an MMC console
for
each remote desktop I want to edit group policy on [assuming I can get
this
to work] using this scenario?
--
Robert Lindholm
University of Rcohester

Hi Robert.

Try this. Open mmc console and select file - add/remove snapin. Then
select
add - Group Policy add. Then select browse and you should see the option
for
another computer where you can browse My Net work Places or add the
computer
name or IP address. Assuming you have the proper network connectivity and
permissions on the other computer you should then be able to edit it's
local
Group Policy. The remote computer would need to have the Windows Firewall
Exception for either file and print sharing and/or Remote Management from
the IP of your workstation.

Steve

Steve:

Thanks for your reply, but I think I'm still missing something...

When I open the "gpedit.msc" MMC on my administrative workstation, I
don't
see any options for connecting to a remote computer. Are there some
additional things that need to be done with the configurational
settings
of
this MMC to establish connectivity with remote systems? I've also not
found
a way to run "gpedit.msc" MMC directly from the remote machine without
using
remote desktop, which requires the user to be logged off. There seems
to
be
a very limited set of command line functionality with "gpedit.msc" that
doesn't include anyway to update local policy settings via the command
line
[that I've seen].

Bob
--
Robert Lindholm
University of Rcohester


:

Keep in mind that domain profile settings apply only when domain
computer
are connected to a network where they can find and access a domain
controller. You can edit local Group Policy remotely by selecting the
mmc
snapin for Group Policy and selecting - another computer. Of course
you
need to be a local administrator on the computer you want to do this
to.
I
find it always best to edit Group Policy instead of registry settings.
You
can edit a registry setting [it does NOT edit Group Policy] and it
should
work until the computer reapplies it's Group Policy settings if that
setting
is defined. Group Policy administrative template registry settings are
stored in the \Windows\system32\grouppolicy\user or
machine\registry.pol
file.

Steve


message I'm trying to remotely add an IP address to the Remote
Administration
settings [domain/local] on several Windows XP XP2 [with firewall
enabled]
on
my network so I can make some remote adjustments to the Windows
firewall
using "netsh" to ultimately run an install executable for a new AV
software
agent. I found what I believe to be the appropriate Registry keys
associated
with these network settings [see below] and have been able to
remotely
update
the Registry, but this hasn't updated the local policy on the
computer.
I've
tried performing an "gpupdate" and rebooting the system. Obviously
I'm
missing something or there are additional Registry keys that need to
be
edited or some other mechanism to update the local policy by editing
the
Registry unless this is a unidirectional process [e.g. local policy
edit ->
Registry change only, not vice-versa]. I'm trying to avoid having
to
locally
edit each workstation to make these changes, which brings up a few
questions:

1) Is there a way to remotely edit the local group policy of a
Windows
XP
computer remotely over the network [without AD]?

2) Will remote editing of the Registry alter the local group policy
of
a
machine and if so how is this accomplished?

Your suggestions are greatly appreciated...

Bob

P.S. Here are the Registry keys I edited:

Domain Policy

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!RemoteAddresses

Local Policy

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!RemoteAddresses

 

[Guest]

Steve:

I was able to use the remote desktops UNC path and the IP address to setup
the group policy MMC [I should have tried that], so it's looks like this is
going to work for me and yes you're right AD would certainly make group
policy management easier.

Also, I am familair with the PSTools set of commands and actually used
psexec to adjust the Windows firewall permissions using netsh.

Thanks again for your assistance with this issue... it's greatly appreciated.

Bob
--
Robert Lindholm
University of Rcohester

What I would try is to specify the IP address of the computer you want to
try and manage if browsing does not work. And yes if it works you will need
to that for each computer. AD would make things a whole lot easier but
unfortunately you are not there yet. I don't know if this will help if GP
does not work as expected but you can use psexec from SysInternals/Microsoft
to access the command line of remote computers assuming you have proper
network connectivity. You may be able to figure out a way to use it for what
you need. Check it out at the link below and the syntax and capabilities of
it including it's ability to use @file to run commands on multiple
computers.

Steve

http://www.sysinternals.com/Utilities/PsExec.html

Steve:

Unfortunately, I'm getting the following error message when I get to the
point of browsing the network within the MMC setup process:

Browse for a Group Policy Object
- The program cannot open the required dialogue box becuase no locations
can be found. Close this message and try again.

Note: This is a repeatable situation.

My administrative workstation and the remote desktop are both joined to
the
domain [NT 4.0 not AD] and I have domain admin privilege, although I
haven't
tried this process [yet] while logged in as the domain admin.

However, I can browse the network when setting up another MMC console
[e.g.
Computer Management, Device Manager, etc.], so this looks like it may be
group policy specific.

Bob

P.S. Am I correct in assuming that I would need to setup an MMC console
for
each remote desktop I want to edit group policy on [assuming I can get
this
to work] using this scenario?
--
Robert Lindholm
University of Rcohester

Hi Robert.

Try this. Open mmc console and select file - add/remove snapin. Then
select
add - Group Policy add. Then select browse and you should see the option
for
another computer where you can browse My Net work Places or add the
computer
name or IP address. Assuming you have the proper network connectivity and
permissions on the other computer you should then be able to edit it's
local
Group Policy. The remote computer would need to have the Windows Firewall
Exception for either file and print sharing and/or Remote Management from
the IP of your workstation.

Steve


message Steve:

Thanks for your reply, but I think I'm still missing something...

When I open the "gpedit.msc" MMC on my administrative workstation, I
don't
see any options for connecting to a remote computer. Are there some
additional things that need to be done with the configurational
settings
of
this MMC to establish connectivity with remote systems? I've also not
found
a way to run "gpedit.msc" MMC directly from the remote machine without
using
remote desktop, which requires the user to be logged off. There seems
to
be
a very limited set of command line functionality with "gpedit.msc" that
doesn't include anyway to update local policy settings via the command
line
[that I've seen].

Bob
--
Robert Lindholm
University of Rcohester


:

Keep in mind that domain profile settings apply only when domain
computer
are connected to a network where they can find and access a domain
controller. You can edit local Group Policy remotely by selecting the
mmc
snapin for Group Policy and selecting - another computer. Of course
you
need to be a local administrator on the computer you want to do this
to.
I
find it always best to edit Group Policy instead of registry settings.
You
can edit a registry setting [it does NOT edit Group Policy] and it
should
work until the computer reapplies it's Group Policy settings if that
setting
is defined. Group Policy administrative template registry settings are
stored in the \Windows\system32\grouppolicy\user or
machine\registry.pol
file.

Steve


message I'm trying to remotely add an IP address to the Remote
Administration
settings [domain/local] on several Windows XP XP2 [with firewall
enabled]
on
my network so I can make some remote adjustments to the Windows
firewall
using "netsh" to ultimately run an install executable for a new AV
software
agent. I found what I believe to be the appropriate Registry keys
associated
with these network settings [see below] and have been able to
remotely
update
the Registry, but this hasn't updated the local policy on the
computer.
I've
tried performing an "gpupdate" and rebooting the system. Obviously
I'm
missing something or there are additional Registry keys that need to
be
edited or some other mechanism to update the local policy by editing
the
Registry unless this is a unidirectional process [e.g. local policy
edit ->
Registry change only, not vice-versa]. I'm trying to avoid having
to
locally
edit each workstation to make these changes, which brings up a few
questions:

1) Is there a way to remotely edit the local group policy of a
Windows
XP
computer remotely over the network [without AD]?

2) Will remote editing of the Registry alter the local group policy
of
a
machine and if so how is this accomplished?

Your suggestions are greatly appreciated...

Bob

P.S. Here are the Registry keys I edited:

Domain Policy

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!RemoteAddresses

Local Policy

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!RemoteAddresses