Deploy Registry Key Using Group Policy Object

Setting specific values for registry keys is a usual task for administrators, either to manage users profiles, specific applications settings…etc. In this article I will give a basic but yet useful example to deploy such configuration using Group Policy Objects (GPO).

In a previous article I talked about disabling Autorun facility in Windows using a registry value suggested by US-CERT. To remind the reader, the key and value are :

Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
Value : @=”@SYS:DoesNotExist”

To deploy this configuration using GPO, we need to create a new, or may be update an existing one, administration file. Administration files are normally located in folder :

%systemroot%\inf

and have .adm extension.

I will not go into details of ADM files syntax, version control and Operating System filtering, as it will need more than one article, but anyway : here is a prototype you can always use with Windows XP (and above?) and you can change the key and values but keep the same syntax. For interested readers, I recommend this document : “Using Administrative Template Files with Registry-Based Group Policy” from Microsoft site.

So, the ADM file I propose for this configuration:

CLASS MACHINE
CATEGORY !!category
KEYNAME “SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf”
POLICY !!policynameautorun
ACTIONLISTON
VALUENAME “@”        VALUE “@SYS:DoesNotExist”
END ACTIONLISTON
ACTIONLISTOFF
VALUENAME “@”        VALUE “”
END ACTIONLISTOFF
END POLICY
END CATEGORY
[strings]
category=”Custom Policy Settings”
policynameautorun=”Disable autorun”

save this lines as “customPolicies.adm” for example, and import it as an administrative template. To do so, develop “computer configuration“, then right click on “administrative templates” group,  and choose “Add/Remove templates”, click on “Add” and browse for your file. Once selected, validate and close; You’ll see your new group of policies (that is named “category” in the adm file) in the groups tree. You can see this steps in this video.

One done, you man not see the new policy as there’s a default filtering. To disable filtering, right click on “administrative templates”, select “Display” menu and then “Filtering”; uncheck all checkboxes. Have a look here :

Some explanations about parameters used in the above example :

• KEYNAME : Registry key to change/create.
• ACTIONLISTON : actions to perform when the policy is enabled
• ACTIONLISTOFF : actions to perform when policy is disabled
• strings section : values for substitution variables, noted with double exclamation mark (!!category for example). These varibales are used for portability between different language versions of Windows.

Having the adm file imported does not mean it is in use and applied. You need to create a new strategy (or update an existing one) to use the policy. Then you have to link this strategy to the Organisational Unit (OU) you want.

In the client side, you need to run gpupdate in the command prompt if you want the modifications to be applied right at the moment without waiting any longer. Gpupdate command replaces secedit command available in Windows 2000 and older versions. Please refer to the help of these commands for more details.

I hope you enjoyed reading and it was useful.