In this article, we’ll look at how to use Group Policy (GPO) to centrally create, modify, import, and delete any registry keys and parameters on domain-joined computers.
You can manage registry items using special extensions, called group policy preferences (GPP), GPP has a separate section where you can centrally configure (create, delete, modify, update) any parameter or registry branch and deploy these changes to all computers in the domain can do.
Suppose, you want to disable automatic driver updates on all computers in a specific Active Directory OU (Organizational Unit). To do this, you need to change the value of the registry parameter SearchOrderConfig in the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching, You can configure registry settings on target computers in the domain in two ways: by using the built-in GPP registry browser, or by manually specifying the path to the registry key, parameter name, and value.
Deploy Registry Items in a GPO by Using the Registry Wizard
The easiest way to make changes to the registry is in the GPO in the Registry Wizard.
- Run the Group Policy Management Console (
- Create a new GPO (or edit an existing one), link it to the required container (OU) in AD with the computers (or users) you want to apply the registry key to, and switch to Policy Edit mode ;
- Expand GPO section Computer (Or the user, layout , Like , windows settings , Registry and choose New , registry wizard in the context menu;
- registry wizard Allows you to connect to the registry on a remote computer and select an existing registry key;
- Specify the name of the remote computer to which you want to connect;
Comment, if error The network path was not found appears when you try to connect to a computer through Registry Browser, it is most likely that this remote computer is turned off, access to it is blocked by a firewall, or the Remote Registry service is not started. To start the service manually, run these commands on the remote computer:
sc config remoteregistry start= demand
net start remoteregistry
- Use the Remote Registry Browser to locate and select all registry parameters that you want to deploy through GPOs;
Comment, This registry browser allows you to select only registry keys from the HKEY_LOCAL_MACHINE and HKEY_USERS hives on a remote computer. If you need to set keys that are contained in other registry hives, you need to install RSAT on the remote computer. Then run the gpmc.msc console on This Computer and use the same process to select the registry keys that you need.
- In this example, I want to import only one registry parameter in GPP — SearchOrderConfig,
- The specified registry entry is imported into the GPP console with the path and current value (0). You can change its value and desired action (this will be discussed later);
- Thus, you have created a Group Policy to deploy your registry key. The next time the Group Policy setting is updated on the target computers, the value of the SearchOrderConfig registry key will be changed to 0.
If the policy is not applied to the client, you can use the GPresult tool for diagnostics.
If this GPO is deleted, unlinked from the AD container, or a target computer is moved to another OU, the value of the registry parameter will not revert to its original (default) value.
How to manually create, edit or delete a registry key using Group Policy?
You can use GPP to create, modify, or delete a specific parameter or registry key by manually specifying the registry item’s path and value.
- choose Registry -> New -> Registry Item;
- Configure your registry item settings:
Action: Update Hive: HKEY_LOCAL_MACHINE Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching Value name: SearchOrderConfig Value type: REG_DWORD Value date: 00000000
Do not enter the name of HIVE in the key path, or an additional subkey will be created in the registry (such as HKEY_HKEY_XXX).
- By default, the registry item configured by the GPO is set to Updates Method
There are 4 types of actions available in GPO for registry keys:
- create – Creates a registry key/parameter. If the parameter already exists, its value is not changed;
- Updates (by default) – Updates the value of the existing parameter according to GPP. If the registry parameter does not exist, it will be created automatically (as well as the registry key where it should be located);
- Change – If the registry parameter / key already exists, it will be deleted and recreated (rarely used);
- delete – Deletes a registry item.
but there are many other useful options General Tab:
- Run in the security context of the logged-on user (User Policy Options) – A registry key is created only in the current user context (this is possible only for GPP in the User Configuration section of the GPO). If a user does not have administrator privileges, the policy will not be able to write anything to the protected system registry keys;
- Remove this item when it does not apply – If the policy no longer applies to the client, the registry change will be automatically removed;
- Apply once and don’t apply again – A policy is applied only once to a client (user or computer). It will not be implemented again later. If a user manually changes the value of a registry item after the GPO is applied, the policy will not override its value on the next policy update cycle;
- item-level targeting – Allows you to target the policy to customers more precisely (you can target the policy to a specific IP, network mask, computer name, or computers with certain characteristics, as you can using WMI filters in a GPO) use). For example, you can specify that the registry parameter should be applied to computers that are running Windows Server 2016 in the AD OU named Server.
This is how the resulting Group Policy settings will appear in the GPMC console (on the Settings tab).
GPO: Import registry data from REG file
The Registry allows the Group Policy Preference Administrator to import a .REG file containing multiple registry entries into Group Policy. For this, the REG file needs to be converted to XML (Group Policy Editor allows you to import files only in XML format).
For example, you have a reference computer on which some settings are configured through the registry. You can export these settings to a REG file by right-clicking on the reg key name in regedit.exe and selecting export,
Save the registry key entries to a REG file.
If your REG file contains data from different registry hives (HKLM, HKCU, HKEY_CLASSES_ROOT, HKEY_USERS), you need to split them into separate REG files.
Next, you need to convert this REG file into XML format. You can do reg->xml conversion using online service Reg2GPP with powershell script RegToXML.ps1,
Copy the resulting XML file in File Explorer and paste it into the Registry section of Group Policy Editor.
As a result, all registry settings from your REG file will appear in the Group Policy console and will be applied to the targeted domain computers.
Set Registry Key Permissions with Group Policy
You can use Group Policy to change the access permissions (ACLs) for specific registry keys. You can use this feature to prevent non-administrator users from accessing protected registry keys or to give regular users the right to modify system keys.
You can configure registry ACL settings in GPO section computer configuration , windows settings , security settings , Registry
- choose Add key,
- Use the built-in registry browser to find the registry key you need (or specify the path manually in the following format
- Set the new ACL settings for your registry key that you want to apply in the Database Security window. In this example, I want to allow users to make any changes to a system-protected registry key. you need to choose users Groups and Grants full control permission for this. You can enable inheritance of permissions to sub-keys using advanced , enable inheritance Option;
You can add or remove any other security groups, users, and other principals from Local Computer or Active Directory.
- Save your changes. The new registry key permissions will be applied to customers after the GPO is updated.
How to modify registry entries with GPO logon script?
Prior to Windows Server 2008, only logon script BAT files could be used to modify registry settings by using GPOs. you must use add reg Or reg import The commands in such a .bat file make changes to the registry.
To make changes to the registry by using a GPO logon script, you must create a text file myreg.bat with necessary orders. For example:
- These two commands allow you to configure proxy settings in Windows (run via startup script in Computer Configuration):
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d yourproxyadress:proxyport /f
- The following two commands clear the RDP connection history of the client. In this example, the script must be run from the Logon Scripts section in User Configuration because we are accessing the User registry hive:
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
- The last command lets you import an entire registry key from a REG file (to export a local registry key, use the following command: reg export HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate c:\WindowsUpdateRegFile.reg,
reg import "%~dp0"WindowsUpdateRegFile.reg
To use the path of the current directory where the BAT script is located, special
%~dp0 parameter is used.
Save your *.bat (and *.reg if you need to import) to the domain controller (
Open your GPO and navigate computer configuration , windows settings , the script , start up,
Click Add And in NETLOGON specify the UNC path for your bat file.
The next time you restart Windows, your BAT file will run and make changes to the registry.
Leave a Comment