Re: Deploying a Reg Key to HKLM on all Machines

From: Torgeir Bakken \(MVP\) (Torgeir.Bakken-spam_at_hydro.com)
Date: 05/11/05 

Date: Wed, 11 May 2005 18:01:45 +0200

The Poster wrote:

> Hi,
>
> What technique could I use to deploy a Reg key called 'MyCompany' to all
> computers in a specific OU? I also want to control the permission set on
> this key to only allow specific Security Groups to have full control.
>
> I'm currently running an AD environment on a Windows 2000, SP3 Server, all
> my workstations are Windows 2000 Professional systems running SP3.
Hi,

You can use "pure" Group Policy to push out your own registry
settings (see further down).

But I think would have done it in computer startup script (set with a
GPO).

Computer startup script runs as part of the boot up process
(before the user logs in) and it runs under the system context
and has administrator rights.

SubInACL.exe can be used to set the permissions, a new, bug-fixed
version of SubInACL.exe is available for download here
(Win2k/WinXP/Win2k3):

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b

Then there is a free 3rd party utility that you can use for this:

SETACL (freeware) at
http://setacl.sourceforge.net/

SetACL can set permissions on:

Local or remote directories
Local or remote files
Local or remote printers
Local or remote registry keys
Local or remote Win32 services
Local or remote network shares

Alternatively:

You can push out that registry value with a GPO using a
custom administrative template ("tattooing" the registry on
the clients)...

HOW TO: Create Custom Administrative Templates in Windows 2000
http://support.microsoft.com/?kbid=323639

225087 Writing Custom ADM Files for System Policy Editor
http://support.microsoft.com/?kbid=225087

Implementing Registry-Based Group Policy
go.microsoft.com/fwlink/?LinkId=28188

Implementing Registry-based Policy [Group Policy]
http://msdn.microsoft.com/library/en-us/policy/policy/implementing_registry_based_policy.asp 

-- 
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Relevant Pages

  • Re: Deploying a Reg Key to HKLM on all Machines
    ... You can use "pure" Group Policy to push out your own registry ... Computer startup script runs as part of the boot up process ... Local or remote directories ... Implementing Registry-Based Group Policy ...
    (microsoft.public.security)
  • Re: Local Policy Update Using Remote Registry Edit
    ... Browse for a Group Policy Object ... My administrative workstation and the remote desktop are both joined to ... doesn't include anyway to update local policy settings via the command ... find it always best to edit Group Policy instead of registry settings. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: configure machines to allow "offer remote assistance" xp home
    ... What I am trying to do is use the "offer remote ... Is there some registry key or something that I can edit in order ... Start the Microsoft Management Console (MMC) (Start, Run, ... Select Group Policy, and click Add. ...
    (microsoft.public.windowsxp.general)
  • Re: Local Policy Update Using Remote Registry Edit
    ... this MMC to establish connectivity with remote systems? ... You can edit local Group Policy remotely by selecting the mmc ... find it always best to edit Group Policy instead of registry settings. ... but this hasn't updated the local policy on the computer. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Several Problems; how to reset security and troubleshoot serve
    ... There is no error or action when I click on either "Offer Remote ... Assistance" or "Help and Support", ... The Network Service account must be added to the policy settings in the ... This issue may occur if Group Policy settings that were applied at ...
    (microsoft.public.windows.server.sbs)