Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Group Policies / How to Add, Edit, Deploy and Import Registry Keys through GPO?

August 6, 2019 Active DirectoryGroup Policies

How to Add, Edit, Deploy and Import Registry Keys through GPO?

In this article, we will look at how to use Group Policy (GPO) to centrally create, modify, import and delete any registry keys on domain-joined computers.

There was no built-in feature to manage registry parameters in classic GPOs. Therefore, administrators had to create their own administrative .adm/.admx templates (an example of .admx template for Google Chrome) or bat files for Logon scripts (.reg file is imported using the reg import command) for centralized management of registry keys and parameters via GPO.

In Windows Server 2008, Microsoft released a group policy extension called Group Policy Preferences (GPP). A special section has appeared in Group Policy console, which allows the administrators to configure (create / edit / delete) any registry parameter or key and deploy this setting to all domain computers. Let’s deal with these features in detail.

Suppose you want to disable via registry the automatic driver update on computers in a specific AD  domain organizational unit (OU) by changing the value of the SearchOrderConfig parameter in the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching. There are two ways to set a register parameter on target computers: using a remote registry browser integrated into the GPP console or manually by specifying the path to the registry key, parameter name and value.

Contents:
  • Remote Registry Browser in GPO
  • How to Manually Create/Edit a Registry Key using Group Policy?
  • Import .reg file into GPO

Remote Registry Browser in GPO

Let’s dwell on the first way to begin with:

  1. Open the Group Policy Management console (gpmc.msc);
  2. Create a new (or edit the existing) GPO, link it to the necessary container (OU) in AD with the computers (or users) on which you want to deploy the registry key and go to the policy edit mode;
  3. Expand the GPO section Computer (or User) Configuration -> Preferences -> Windows Settings -> Registry and select New -> Registry Wizard in the context menu;GPP console Registry Wizard
  4. The Registry Wizard allows you to connect to the registry on a remote computer and select the existing registry key;
  5. Specify the remote computer name you want to connect to;Remote registry browser
    Note. If the error The network path was not found appears when you try to connect to a computer through the Registry Browser, most likely this remote computer is turned off, access to it is blocked by a firewall or Remote Registry service is not started on it.  The network path was not found To start the service manually, run these commands on the remote computer: sc config remoteregistry start= demand
    net start remoteregistry
    start remoteregistry service
  6. Using the Remote Registry browser, select all the registry parameters that you want to deploy through the GPO;
    Note. This browser allows you to select only reg keys from the hives HKEY_LOCAL_MACHINE and HKEY_USERS on a remote computer. If you need to set the keys contained in other registry hives, you need to install RSAT on the remote computer (Installing RSAT in Windows 10). Then run the gpmc.msc console on this computer and use the same procedure to select the required registry keys.
  7. In our example I want to import only one registry parameter to the GPP — SearchOrderConfig;Select registry item in registry browser
  8. The specified registry entry is imported into the GPP console along with the reg path (a registry tree has appeared in the group policy console) and current value (0). In the future, you can change its value and the desired action (this will be considered further);GPO registry update item
  9. Thus, you have created a group policy to deploy your registry key. The next time Group Policy settings are updated on target computers, the value of the SearchOrderConfig registry key on them will change to 0 (if the policy doesn’t apply on the client, you can use GPResult tool for diagnostics).

If this GPO is removed, unlinked from the AD container, the target computer is moved to another OU, the value of the registry parameter won`t return to its original (default) value (as in the case with the usual GPO policy settings).

How to Manually Create/Edit a Registry Key using Group Policy?

You can create, edit or remove the value of the specific registry parameter using GPP by specifying the registry key path and value manually.

gpp new registry item

  • To do it, select Registry -> New -> Registry Item;
  • Fill the following fields in accordance with the data of the registry parameter that you want to change: Hive, Key Path, Value Name, Value type, Value data;registry item properties
  • By default, the registry setting that is configured through the GPO is set to the Update mode.

4 types of actions are available in GPO for registry keys:

registry item actions

  • Create – creates a registry key. If the parameter already exists, its value is not changed;
  • Update (by default) – updates the value of an existing parameter according to the GPP. If the registry parameter doesn’t exist, it will be created automatically (as well as the registry key in which it should be located);
  • Replace – deletes and recreates the registry item anew (rarely used);
  • Delete – deletes a reg key.

There is a number of other useful features in the Common tab:

common options

  • Run in logged-on user’s security context (user policy option) — a registry key is created only in the current user context (it is possible only for GPP in the user section of the GPO). If a user doesn’t have the administrator privileges, he won’t be able to write anything to the protected system registry keys;
  • Remove this item when it is no longer applied – if the policy is no longer applicable to a client, the key is automatically deleted;
  • Apply once and do not reapply – a policy is applied to a client (user or computer) only once. Later it won’t be reapplied. If after applying the GPO, the user manually changes the value of the registry parameter, the policy won’t override its value on the next policy update cycle;
  • Item-level targeting – the opportunity of more accurately policy targeting on the clients (you can target the policy to a specific IP, subnet, computer name, computers with certain characteristics, i.e. you can configure policy enforcement similar to the GPO WMI filters). For example, you can specify that the registry parameter should be applied to computers running Windows Server 2012 R2 in the AD OU named Servers.gpp: deploy reg key with targeting

Here’s how the final policy settings look in the GPMC console (Settings tab).

GPMC policy report

Import .reg file into GPO

The GPP allows the administrator to easily import a .reg file into Group Policy with several registry settings. But to do this, the reg file must be converted to the XML format (Group Policy Editor allows you to import files only in XML format).

For example, you have a reference computer on which some settings are configured through the registry. You can export these settings to a REG file by right-clicking on the reg key name in the regedit.exe and selecting Export.

export reg key to a file

Save the registry key settings to the reg file.

save reg file

If your reg file contains data from different registry hives (HKLM, HKCU, HK_CLASSES), you need to divide them into separate reg files.

Next, you need to convert this REG file to the XML format. You can convert reg -> xml using the online service https://www.runecasters.com.au/reg2gpp or with the PowerShell script RegToXML.ps1 —  https://gallery.technet.microsoft.com/scriptcenter/Registry-To-GroupPolicyPref-9feae9a3.

The resulting XML file must be copied in the File Explorer and pasted to the Registry section in the Group Policy editor.

import reg file to deploy via gpo

As a result, all registry settings that you imported will appear in the Group Policy console and will be applied to the target computers in the domain.

deploy multiple registry parameters from xml via gpo

 

4 comments
3
Facebook Twitter Google + Pinterest
previous post
Disks and Partitions Management with Windows PowerShell
next post
How to Create a RAM Disk on Windows Server?

Related Reading

Configure User’s Folder Redirection with Group Policy

February 3, 2023

Join a Windows Computer to an Active Directory...

February 2, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Enable Internet Explorer (IE) Compatibility Mode in Microsoft...

January 27, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

4 comments

Nope March 19, 2021 - 1:47 am

Wow, did anyone happen to notice you put the Hive in the Key Path under “New Registry Properties” pane? Anyone following this would have nothing they did work. Great job!

Reply
Mekkel Richards May 27, 2021 - 8:03 pm

Noticed that as well. Good catch.

Reply
Resul June 8, 2022 - 2:08 pm

Teşekkür ederim.
İyi Çalışmalar.

Reply
Lee Banyard June 24, 2022 - 11:52 am

Do not put the hive name into the key path otherwise it creates a new HKEY_xxx folder in the registry!

Does anyone know a quick way to remove the newly created folders remotely for users?

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • How to Refresh AD Groups Membership without Reboot/Logoff?
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
  • Changing Desktop Background Wallpaper in Windows through GPO
  • How to Disable NTLM Authentication in Windows Domain?
  • Active Directory Dynamic User Groups with PowerShell
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top