Apply Registry or ADM to Group Policy for Login to Specific Servers

windows-server-2008 active-directory group-policy windows-registry

8,329

Solution 1

You're saying that you have user settings that you want to apply to users only when they logon to certain computers? Sounds difficult, eh? It's not difficult at all. It sounds like a job for loopback group policy processing!

Assume the following:

 [Domain] mydomain.com.org.net.local
  |
  |--[OU] Special Computers
  |   |
  |   |-- [Computer] COMPUTER 1
  |   |
  |   |-- [Computer] COMPUTER 2
  |   ...
  |
  |--[OU] User Accounts
      |
      |--[User] Bob
      |
      |--[User] Alice
      ...

You would like to apply a user setting (such as running a logon script, or applying other types of GPO user settings) for all users who logon to computers in the "Special Computers" OU. When they logon to computers located in other OUs, though, you do not want these special settings to apply.

Create and link a GPO to the "Special Computers" OU. Specify in that GPO all the user-related settings you want to apply.

("But wait, Evan! The user's account objects aren't in the 'Special Computers' OU!" Yes. I know that. Stay w/ me here. Most AD admins I've met don't understand loopback policy processing and get scared. I've seen horrible hacks like creating secondary user accounts for users to logon with when using "special computers", etc... >shudder<)

In the GPO you created, go into the COMPUTER "Administrative Templates", "System", "Group Policy", and locate the setting "User Group Policy loopback processing mode". Enable this setting. In the "Mode" box, choose "Replace" if you want all the user's "normal" group policy settings to be ignored and only the user policy settings in this new GPO to apply. Choose "Merge" if you want the user settings in the GPO to apply after all their normal user settings have applied.

My opinion is that this is a lot cleaner than "hacks" involving "If computer == blah" in logon scripts.

My advice to you would be to do what you're doing with a Group Policy Preference (GPP)registry settings, rather than with a logon script. It will apply one time, leaving default settings in the users' registry, but the user will be able to change the settings freely in the future without having them "smashed" each time they logon.

If these are Windows Server 2008 machines, like your tag says, then there's really no excuse not to use GPP registry settings. Have a look at the articles below for some more details. This is a really nice feature of W2K8, and something you should be taking advantage of.

http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en

http://blogs.technet.com/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx

Solution 2

You need to decide which route you wan to go down - ADM or Registry.

You can set custom registry settings through GPO. Edit the GPO, then browse to this section:

Computer Config -- Policies -- Windows Settings -- Security Settings -- Registry

Whatever combination of keys you define in here will be applied to the machines in that OU.

Furthermore, you should change the Scope filtering of the GPO to apply to the objects in AD you're interested in. It may have defaulted to Authenticated Users. If that's right, then leave it. I suspect you will need to change it though so it applied to Domain Computers. Don't fret, it will only apply to the domain computers in that OU, and all sub OUs

EDIT:

Edited to provide how-to for batch file registry importing and Login Scripts in GPO.

So, first you're going to need to create a batch file that will import the registry keys you want.

Create a batch file, and give it any name you like, eg import_reg_keys.bat
Edit the batch file, and in its most basic form, use the following command(s):

reg.exe add HKCU\blah\blah\blah /v MyNewSetting /t REG_SZ /d 1 /f

Replace the blah\blah\blah with subkey you're interested in, replace MyNewSetting with the value, replace REG_SZ with the type of value (REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ, REG_DWORD, REG_BINARY, REG_NONE), and replace the 1 with whatever data you want in your new reg value.

Save the batch file, and copy it to the domain NETLOGON share (\\yourdomain.loc\netlogon) - you will need Domain Admin rights to do this.
Edit the GPO you already created, and navigate to User Config -- Policies -- Windows Settings -- Scripts
Double click the LOGON item on the right, click ADD, click BROWSE, in the address bar at the top enter \\mydomain.loc\netlogon and press enter, then select your batch file from the list
Click Open, click OK, click OK, close the GPO editor
Go back to the GPO Management MMC, double click your new GPO, and then on the right select the SCOPE tab.
Where it says Filtering at the bottom, ensure that you only have Domain Computers (yourdomain\Domain Computers) and Authenticated Users. If you want to lock this down even further in the future, this is how you filer who or what must apply this policy.
Buy me a beer

The nice thing about having the batch file in the netlogon share (as opposed to setting it directly in a GPO) is that it's much quicker to edit.

PS. Move the servers in question to that OU (should be a sub-OU of your Member Servers OU)

Solution 3

Here's an alternative method:

Do you already have a login script for your users? (Defined in the User object in AD under Profile). If you do, then add these lines to that script:

if "%computername%"=="MyServer001" reg.exe add HKCU\blah\blah\blah /v MyNewSetting /t REG_SZ /d 1 /f

if "%computername%"=="MyServer002" reg.exe add HKCU\blah\blah\blah /v MyNewSetting /t REG_SZ /d 1 /f

Add as many of these lines for each server that needs this key when the user logs in. This way, each time a user logs in, the script will look at the machine name they are logging into, and only apply the registry change if that machine matches one of the listed ones. If they log into their own workstation, the machine name will not be in the list, and it won`t get the key

8,329

Matt Rogish

I like: Ruby on Rails, Mobile Apps, IT/Strategy, Travel, etc. etc.

Updated on September 17, 2022

Comments

Matt Rogish over 1 year

I have some Windows 2008 Server terminal services servers that run a shared app. Unfortunately, to operate correctly the app has some HKEY_CURRENT_USER settings that need written to each user's registry when they log in. These settings will change over time so I don't want to edit C:\Users\Default\NTUser.dat; I want them applied via Active Directory.

I have identified the appropriate entries and exported them as a registry file and additionally converted them to an ADM. I'd like to configure some portion of Active Directory Group Policy to load either the .REG or the ADM as a login script (for all users) to ONLY these servers (the servers are in their own OU).

How can I do that? I've created a policy in the OU but are otherwise stumped; I tried to load the ADM into GPO Management Editor but it doesn't seem to do anything...

Perhaps it's some combination of "Active Setup" (Best way to add HKCU keys and values for all existing users and all new users?) and Loopback Processing (http://support.microsoft.com/kb/231287) but my knowledge of GPO is very limited.
Matt Rogish almost 15 years

I don't know which to use, nor do I have any preferences. Whatever is easier. I can't seem to import any of my registry changes to the REgistry setting, nor does it allow me to add a key to HKEY_CURRENT_USER (it's not an option)
aeroshock almost 15 years

Can you try in the User Config tree?
Matt Rogish almost 15 years

User Configuration -> Policies -> Windows Settings -> Security Settings -> has no registry section so it doesn't look like I can use this to add HKEY_CURRENT_USER. Under machine ... Security Settings -> I can use CLASSES_ROOT, MACHINE, USERS but then it has just the users that have local accounts; not HKCU
aeroshock almost 15 years

In that case, you'll need to write a little batch file, and have it execute as a Login script in GPO. I'll edit my original answer with a how-to
Matt Rogish almost 15 years

Thanks! I am really at a loss as to how to do that only for these servers (running on client desktops would be a BadThing(TM) )
Spence almost 15 years

@Izzy: You've almost got it, but you need to enable loopback policy processing. Unless the user's account objects are under the same OU as this GPO where the member server computers are the policy isn't going to apply to them.
aeroshock almost 15 years

You mention "you would like to run a logon script for all users <snip>", then you go onto say "eww nasty hacks". How do you propose to import the registry settings then? As in my first suggestion using reg.exe?
Spence almost 15 years

@Izzy: My statement re: "eww nasty hacks" was as follows: I would use loopback group policy processing to insure that this script (or whatever other user settings are specified in the GPO) only apply to logons for those users when they're using the server computers to which the GPO applies. Doing an 'IF "%COMPUTERNAME%"=="THE_RIGHT_SERVER" REG ADD ..." in a script seems like a nasty hack to me because you have to edit the script if you rename server computers, add more servers, etc. W/ loopback policy processing the group policy client handles applying the GPO on only the right computers.
Spence almost 15 years

@Izzy: This is the technique that I was suggesting was a "nasty hack". It doesn't scale well to multiple servers, and it's not as friendly to change later on as just using loopback group policy processing.
Matt Rogish almost 15 years

Quick question -- the reg file has a LOT of registry entries in it and converting from [HKCU\stuff] etc. to reg add will be very time consuming (and not easily portable). Can I instead do something like (inside the startup script) reg import \\DOMAIN\netlogon\myreg.reg ?
Spence almost 15 years

@Matt: Export the entries from the registry using REGEDIT to a ".REG" file, and then in your script do a: REGEDIT /S <regfile> That will do what you want. Are you concerned about this running each and ever time users logon (especially if they make changes to the values and it keeps getting overridden each time they logon)? You may want to consider doing this with a Group Policy Registry Preference, such that it will apply one time, and the user will be in control of the values after that.
Matt Rogish almost 15 years

Omg. The GPRP looks pretty neato. Is there a way to load in my .reg file or do I have to enter all the keys by hand (that'll take a long time) ?
Spence almost 15 years

@Matt: You can load one registry value in via the GUI, export the GPP settings to an XML file, and then use that XML format as a "skeleton" to load the rest in. Somebody somewhere has probably written a tool to convert REG format into the GPP XML format, but I'm not aware of it.
Matt Rogish almost 15 years

Got it. Of course, now it's only applying the changes on ONE of the servers in the terminal servers OU. I've verified that both are in the OU yet only one gets the changes. Greeeat. Any ideas? Maybe I should make it another question
Spence almost 15 years

@Matt: You've rebooted both boxes, right? The loopback setting only takes effect on boot. Don't go asking questions yet-- you should be able to troubleshoot this one yourself. Start w/ GPRESULT-- it's your friend. Group Policy is completely deterministic. Examine it and you'll figure it out. smile
Matt Rogish almost 15 years

Yeah I got it :D Didn't catch the reboot thing
Matt Rogish almost 15 years

Of course, when I tried GPRESULT the thing CRASHED so that was fun. But I'll keep on it. :D
Kara Marfia almost 15 years

@Evan I'm pretty sure nobody takes the time to type out an answer so that someone else can call it a "nasty hack".