Solved

Distributing Registry Changes with administrative rigths

Posted on 2003-12-02
8
1,625 Views
Last Modified: 2012-05-04
Hello

i'm trying to Distribut Registry Changes on client computers (w2k) using an login.bat script

regedit /s \\Serveurbd\SYSVOL\poly.ca\scripts\OutlookSettings.reg

When the computers execute the script, the get an error message saying that they don't have access to the registry... I suppose it's because they don't have administrative rights on the local computers....

Is there some other way of installing the reg file without changing the local rights on the computers????

bob
0
Comment
Question by:bobsensor
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 10

Expert Comment

by:ryangorman
Comment Utility
Administrative Templates under Group Policies allow administrators to use existing ADM files or custom written ADM files to apply registry changes to HKLM and HKCU.

This feature was called System Policies under Windows NT. Microsoft may have written an ADM file for your Outlook version that applies the required registry changes.

Outlk10.adm is the ADM for Outlook 10. See http://www.winnetmag.com/Article/ArticleID/19725/19725.html or Google for Outlook ADM.


0
 
LVL 16

Expert Comment

by:JammyPak
Comment Utility
0
 
LVL 1

Expert Comment

by:Drob8
Comment Utility
Ryan is right on as long as you have a W2K DC to deploy the GPO with. I ran into a similar issue deploying SMS where we decided to define the Client Access Point by creating our own ADM file with the correct registry settings and then loading the GPO on each OU.

That stupid Outlook Security Update that blocks the attachments is a real pain in the rear.

If you need anymore help getting that out, let us know.

Drob
0
 

Author Comment

by:bobsensor
Comment Utility
the purpose of deploying the regestry file, is to add & set the registry key "CheckAdminSettings" to "1" so that outlook check's in the puplic folders to see if the "Outlook Security Settings" is existant. In that folder, I have a file named "Default Security Settings" that alows outlook to use forms with object model, cdo & mapi... without asking the virus question....

that works great!!!.... but the deploying part is where i'm having problems...

- deploying reg file with login script gives me administrative rights problems on client computers (w2k)

- i've also tryed using gpo from dc (w2ks) with the Outlk10.adm ADM but I can't find the part that would set the "CheckAdminSettings" key to "1"??? i'm missing something????

bob
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Expert Comment

by:Drob8
Comment Utility
What you have to do is create your own .ADM template that you can Add into the Group Policies. Check out the following article from Microsoft:

http://support.microsoft.com/default.aspx?scid=kb;en-us;323639

Basically, you stick your registry settings and options in the .ADM file. Add the .ADM template to an object in the group policy. Create a new group policy and the new folder for setting the Outlook Security Settings should now be available. You can set your key to 1 in the Group Policy Editor and then save your changes. Make sure that GPO is applied to the object your users will fall under (OU, Domain, etc)

We've actually just migrated off of NT 4.0 so I will probably do this tonight as well. If you have anymore questions or are having a hard time writing the ADM file, let us know.

Drob
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
HOw to distribute a Registry Change

From Wondows 2000 Magazine April 2001

You can use one of three methods: imported registration (.reg) files, regini.exe, or group or system policies.

***Option 1: Create or Export Registration Files ***

You can distribute .reg files that users can then import into the registries of target computers. All you need to do is create—or use regedit to export, then edit—the .reg files, then distribute them. (Registration files have one serious shortcoming, however: They can't delete anything in the registry. Format the registration file's contents as follows:

<RegistryEditorVersion>
<Blank line>
[<RegistryPath>]
"<DataItemName>"="<DataType>:
<DataValue>"

RegistryEditorVersion
Is whichever version of regedit.exe you're using. This entry identifies the file as a registration file. Regedit automatically adds this information when you export a .reg file, but you must manually enter the information when you create a .reg file. For Windows 2000, the RegistryEditorVersion is Windows Registry Editor Version 5.00; for NT 4.0, the version is Regedit4.

Blank line
Identifies the beginning of a new registry path. (Each individual key or subkey is a new registry path.) When you export a key, the .reg file displays a blank line before each key or subkey. If you have multiple keys in your .reg file, blank lines can help you examine and troubleshoot the contents. (Microsoft's instructions state that the blank line is necessary. However, when I create .reg files and inadvertently forget the blank lines, the files still merge successfully.)

RegistryPath
Is the path to the key that holds the values you're importing. Enclose the path in square brackets, and separate each level of the hierarchy by a backslash—for example, [HKEY_LOCAL_ MACHINE\SOFTWARE\Policies\Microsoft\ Windows\System]. A .reg file can contain multiple registry paths.
When the bottom of the hierarchy that you enter in the path statement doesn't exist in the registry, you're creating a new subkey. Registry files' contents are sent to the registry in the order in which you enter them. Therefore, if you want to create a new key and a subkey below that key, be sure to enter the lines in the proper order. (However, the only reason to create new keys is because you've written software that looks for those keys. Creating new keys isn't a task you perform for system maintenance.)

DataItemName
Is the data item you want to import. When a data item in your file doesn't exist in the registry, the .reg file adds it (with its value). When a data item does exist, the value in your .reg file overwrites the existing value. Quotation marks enclose the name of the data item. An equal sign (=) immediately follows the name of the data item.  

DataType
(i.e., the imported item's data type) immediately follows the equal sign, unless the data type is of REG_SZ (REG_SZ types are strings). For all data types other than REG_SZ, a colon immediately follows the data type. Table 1 shows the entries for five common data types. (Nine data types exist, but the types in Table 1 are likely to be the only ones you'll use for system maintenance.) For information about these data types, see the sidebar "Registry Data Types" (see below).

Data Type         Registration File DataType Entry
 
REG_BINARY        hex

 
REG_DWORD         dword

 
REG_EXPAND_SZ     hex(2)

 
REG_MULTI_SZ      hex(7)

 
REG_SZ            none

DataValue
(i.e., the value you want to import) immediately follows the colon and must be in the appropriate format (i.e., string or hexadecimal—use hex format for binary data items). You can enter multiple data-item lines for the same registry path. For example, the data-item lines

"GroupPolicyRefreshTime"=dword:
00000014
"GroupPolicyRefreshTimeOffset"=
dword:0000000f

reflect the hex entries that these data items require: 00000014 is the hex equivalent of 20, and 0000000f is the hex equivalent of 15. If you're uncomfortable with hex or other nonreadable data, restrict your .reg file creation efforts to items that are neither binary nor hex format.
The registry doesn't have a Boolean data type (although it should, and I can't believe Microsoft hasn't gotten around to this yet). However, Boolean type data is usually a DWORD (4 byte) or String (2 byte) item type in the registry. If you're using your .reg file to change values, check the data item in the registry to make sure you match the data type. You don't need to enter the full string in your .reg file; you can omit leading zeros for all numeric values.

****A Registration File Drawback ****

Registration (.reg) files can't delete anything in the registry

****Heres an Example*****

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRecentDocsMenu"=dword:1


****Option 2: Get More Editing Power with Regini.exe*****
 
If scripts are your favorite tools for configuration and setup tasks, you can use regini.exe to apply your scripting skills to registry edits. Regini provides more power than .reg files can muster, including the ability to delete subkeys and data items and to set permissions on registry keys. You can find Regini in the Microsoft Windows 2000 Server Resource Kit and the Microsoft Windows NT Server 4.0 Resource Kit. (I've successfully used the Windows 2000 version of regini.exe on NT machines, and vice versa.) The resource kits also contain full documentation (i.e., regini.doc) for this nifty utility. Regini uses the following syntax:

regini <ScriptFileName>

where ScriptFileName is the path to a script file you've written to perform a specific registry edit. You can use Uniform Naming Convention (UNC) in the path statement if the script is on a network share.

To distribute registry changes that use Regini, you must make the program available to each target computer (assuming that you haven't installed the resource kits across your enterprise). You can use a batch file to map Regini's UNC path and then run the program. For example, if Regini resides on a network share named ResKit on a server named Tools1, you can create the following batch file:

Net use x: \\tools1\reskit
x:\ regini <ScriptFileName>
Net use x: /delete

Regini Features
 
Regini gives you several options for data manipulation. For example, DELETE is a regini.exe keyword that requires only the name of the data item. To remove a data item, enter the following syntax as the second (i.e., data item) line of your script:

DataItemName = DELETE

Putting It All Together
 
As an example of a complete command, review the following script. This command changes computer settings so that the most recent user's name doesn't appear in the Logon dialog box.

\registry\machine\software\micro
soft\windows\currentversionpolicies\system
DontDisplayLastUserName = REG_DWORD 1

*****Option 3: Use Policies *****


You can also distribute registry changes by creating system policies that manipulate the registries of target users. The process you use varies between Windows 2000 (which uses the Microsoft Management Console—MMC—GPE snap-in) and earlier versions of Windows (which use SPE), but in either case, you can build administration (.adm) files to send registry changes to selected computers.

The easiest way to create an .adm file is to use an existing .adm template as a starting point. Templates are text files, and you can open them in Notepad or any text editor. Before you do anything with existing templates, back up the originals. When you modify a template, save the new version with a new filename, even if you've backed up the original. And you must test your new .adm files in a lab environment before you unleash your creation on the enterprise. (See Reader to Reader, ".adm Files and the Headaches They Can Cause," October 1999, for a description of the consequences you might face if you ignore this advice.)

Of course, to implement a registry change through an .adm template, you need to know which registry key to target. The resource kits' registry documentation is rather sparse. To learn my way around the registry, I used a lab environment to plunge in and make system changes with existing policies and Control Panel applets. I used Sysinternals' regmon.exe (available from http://www.sysinternals.com ) to track the resulting registry changes. Eventually, I learned quite a bit about the registry's organization and registry entries' data types.


Where are the Administrative Templates (ADM) located?
http://www.jsiinc.com/SUBK/tip5000/rh5052.htm


*****Links*****

HOW TO: Add, Modify, or Delete Registry Subkeys and Values by Using a Registration Entries (.reg) File
http://support.microsoft.com/?kbid=310516


Distributing Registry Changes
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/html/DistributingRegistryChanges.asp


Specify a Script to Run on Startup Shutdown Logon Logoff
http://techsupt.winbatch.com/TS/T000001048F90.html
0
 
LVL 16

Accepted Solution

by:
JammyPak earned 125 total points
Comment Utility
Hi PeteLong, I think you just retyped (or at least cut and pasted) the article I linked to above

:-)
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Curses, I thought Id left the link of for a second as well :0) You are correct, my appologies

Pete
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now