Registry Updates via Group Policy The purpose of this guide is to demonstrate how to effect registry changes across

the network using group policy objects (GPOs) linked to Organizational Units (OUs). This is a simple SOP, and by no means a comprehensive document on full procedures for this implementation. A more through guide can be found on Microsofts website, at http://www.microsoft.com/downloads/details.aspx?FamilyID=e7d72fa1-62fe-4358-83608774ea8db847&displaylang=en. Also note that this guide is intended for Unclassified systems only, and will not function on Classified systems. Step one: The first thing that needs to be done is decide how you would like to edit the registry to attain the desired effect. You will need to know what hive, under-hive, registry key, dword and value of the particular change you are making. Gather this information first. For example: If you need to disable USB storage devices, know that the correct registry path for the key for USB storage drivers is \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR. The correct dword is the Start option, and the value to disable the USB drivers is 4, as opposed to 3 which is enabled. Step Two: You now need to write an ADM template to implement the change. The correct syntax and language that needs to be used is similar to most scripting languages, and the Microsoft administrative Templates Guide (linked above). Write the script out in notepad or a similar text editor, but save it with a .adm extension (this is very important, as it will designate it as an administrative template). For example: Using the disable USB drivers example, the correct ADM template script would be CLASS MACHINE CATEGORY !!USBdisable POLICY !!DisableUsbStorage EXPLAIN !!DisableUsbStorage_Explain KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR" VALUENAME "Start" VALUEON NUMERIC 4 VALUEOFF NUMBERIC 3 END POLICY END CATEGORY [strings] DisableUsbStorage="Disable usb Storage" DisableUsbStorage_Explain="Prevents users from using usb storage devices"

USBdisable="Registry Settings" Step 3: One the template has been created, it should be saved on the primary domain controller. On the primary domain controller, open a new Microsoft Management Console (MMC) by typing mmc into the run command box. Add snap-in Group Policy Management. We will add a second snap in, the Group Policy Object Editor, later. Step 4: Now we need to create a new GPO, or group policy object. Expand the Group Policy Management snap in, and right click on the OU you need to apply the policy to. Select the create and link a GPO option. Name the GPO, and click ok. You now have a blank GPO applied to the selected OU. (Generally, the OUs you want this policy to apply to are any OUs with computer objects in them). Step5: It is time to add the Group Policy Object editor snap in. Add as before, however, when you are prompted for the location of a GPO, browse to the OU that you applied the GPO to in the previous step and select it. This will link the GPO to the new template youve created. After the snap in is added, you need to apply your administrative template you wrote (the .adm file) to the blank GPO you created. Under the Group Policy Object editor, expand the computer configuration tab and right click on the administrative templates folder. Select Add/Remove Templates. This will bring you to a screen listing all of the default Policy Templates. Click the add button on the lower left hand side to add the custom template you have created. Browse to the location of your .adm file, select it and click ok. If no errors pop up, the template has no syntax inconsistencies and is acceptable for use.

Now the new template must be enabled for use. While still in the GPO editor, click view, then filtering and uncheck the Only show policy settings than can be fully managed checkbox. Click ok and return to the administrative templates folder. There should be a subfolder called registry settings. The .adm template should be in this subfolder. However, it is currently not enabled.

You must enable the administrative template in order for the policy to function. Right click on the .adm template and select properties. From here, you can see what changes the template makes to the registry, and can enable or disable it. Select the enable radio button to put the changes into effect.

This will fully enable the registry change you have made. Notes and Conclusion: Remember the changes made by the GPO will apply to only objects in the OU you have linked it to, and the Administrative template (.adm file) are the instructions in the GPO to perform the actual registry changes. Also, it is important to note that the propagation of these changes will take some time. Microsoft states that the time range for full network propagation of new GPOs is between 90-120 minutes, but I have found that some computers will take longer, and some may take the changes much sooner. Thus, a network administrator should keep the deadline for the policy change in mind when planning an update to group policy. You can force an update by using the GPUPDATE executable, but often a restart of the computer will be required to speed the changes.