Solved

Distributing registry changes to clients without administrator rights

Posted on 2004-10-11
6
1,683 Views
Last Modified: 2013-12-28
I have changes to 2 registry subkeys that I need to distribute to a number of Windows NT 4.0 clients on my Windows 2003 Server network.

Both changes are to the HKEY_LOCAL_MACHINE subkey but the users do not have local admin rights.

I can write a batch file to do this but it wont work without these rights.
I looked at POLEDIT but it didnt seem to have options for these settings.

Can anyone help....
0
Comment
Question by:STEVEO2
6 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 125 total points
ID: 12280903
How to distribute a Registry Change

From Windows 2000 Magazine April 2001

You can use one of three methods: imported registration (.reg) files, regini.exe, or group or system policies.

***Option 1: Create or Export Registration Files ***

You can distribute .reg files that users can then import into the registries of target computers. All you need to do is create—or use regedit to export, then edit—the .reg files, then distribute them. (Registration files have one serious shortcoming, however: They can't delete anything in the registry. Format the registration file's contents as follows:

<RegistryEditorVersion>
<Blank line>
[<RegistryPath>]
"<DataItemName>"="<DataType>:
<DataValue>"

RegistryEditorVersion
Is whichever version of regedit.exe you're using. This entry identifies the file as a registration file. Regedit automatically adds this information when you export a .reg file, but you must manually enter the information when you create a .reg file. For Windows 2000, the RegistryEditorVersion is Windows Registry Editor Version 5.00; for NT 4.0, the version is Regedit4.

Blank line
Identifies the beginning of a new registry path. (Each individual key or sub key is a new registry path.) When you export a key, the .reg file displays a blank line before each key or sub key. If you have multiple keys in your .reg file, blank lines can help you examine and troubleshoot the contents. (Microsoft's instructions state that the blank line is necessary. However, when I create .reg files and inadvertently forget the blank lines, the files still merge successfully.)

RegistryPath
Is the path to the key that holds the values you're importing. Enclose the path in square brackets, and separate each level of the hierarchy by a backslash—for example, [HKEY_LOCAL_ MACHINE\SOFTWARE\Policies\Microsoft\ Windows\System]. A .reg file can contain multiple registry paths.
When the bottom of the hierarchy that you enter in the path statement doesn't exist in the registry, you're creating a new subkey. Registry files' contents are sent to the registry in the order in which you enter them. Therefore, if you want to create a new key and a subkey below that key, be sure to enter the lines in the proper order. (However, the only reason to create new keys is because you've written software that looks for those keys. Creating new keys isn't a task you perform for system maintenance.)

DataItemName
Is the data item you want to import. When a data item in your file doesn't exist in the registry, the .reg file adds it (with its value). When a data item does exist, the value in your .reg file overwrites the existing value. Quotation marks enclose the name of the data item. An equal sign (=) immediately follows the name of the data item.  

DataType
(i.e., the imported item's data type) immediately follows the equal sign, unless the data type is of REG_SZ (REG_SZ types are strings). For all data types other than REG_SZ, a colon immediately follows the data type. Table 1 shows the entries for five common data types. (Nine data types exist, but the types in Table 1 are likely to be the only ones you'll use for system maintenance.) For information about these data types, see the sidebar "Registry Data Types" (see below).

Data Type         Registration File DataType Entry
 
REG_BINARY        hex

 
REG_DWORD         dword

 
REG_EXPAND_SZ     hex(2)

 
REG_MULTI_SZ      hex(7)

 
REG_SZ            none

DataValue
(i.e., the value you want to import) immediately follows the colon and must be in the appropriate format (i.e., string or hexadecimal—use hex format for binary data items). You can enter multiple data-item lines for the same registry path. For example, the data-item lines

"GroupPolicyRefreshTime"=dword:
00000014
"GroupPolicyRefreshTimeOffset"=
dword:0000000f

reflect the hex entries that these data items require: 00000014 is the hex equivalent of 20, and 0000000f is the hex equivalent of 15. If you're uncomfortable with hex or other nonreadable data, restrict your .reg file creation efforts to items that are neither binary nor hex format.
The registry doesn't have a Boolean data type (although it should, and I can't believe Microsoft hasn't gotten around to this yet). However, Boolean type data is usually a DWORD (4 byte) or String (2 byte) item type in the registry. If you're using your .reg file to change values, check the data item in the registry to make sure you match the data type. You don't need to enter the full string in your .reg file; you can omit leading zeros for all numeric values.

****A Registration File Drawback ****

Registration (.reg) files can't delete anything in the registry

****Here's an Example*****

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRecentDocsMenu"=dword:1


****Option 2: Get More Editing Power with Regini.exe*****
 
If scripts are your favourite tools for configuration and setup tasks, you can use regini.exe to apply your scripting skills to registry edits. Regini provides more power than .reg files can muster, including the ability to delete subkeys and data items and to set permissions on registry keys. You can find Regini in the Microsoft Windows 2000 Server Resource Kit and the Microsoft Windows NT Server 4.0 Resource Kit. (I've successfully used the Windows 2000 version of regini.exe on NT machines, and vice versa.) The resource kits also contain full documentation (i.e., regini.doc) for this nifty utility. Regini uses the following syntax:

regini <ScriptFileName>

where ScriptFileName is the path to a script file you've written to perform a specific registry edit. You can use Uniform Naming Convention (UNC) in the path statement if the script is on a network share.

To distribute registry changes that use Regini, you must make the program available to each target computer (assuming that you haven't installed the resource kits across your enterprise). You can use a batch file to map Regini's UNC path and then run the program. For example, if Regini resides on a network share named ResKit on a server named Tools1, you can create the following batch file:

Net use x: \\tools1\reskit
x:\ regini <ScriptFileName>
Net use x: /delete

Regini Features
 
Regini gives you several options for data manipulation. For example, DELETE is a regini.exe keyword that requires only the name of the data item. To remove a data item, enter the following syntax as the second (i.e., data item) line of your script:

DataItemName = DELETE

Putting It All Together
 
As an example of a complete command, review the following script. This command changes computer settings so that the most recent user's name doesn't appear in the Logon dialog box.

\registry\machine\software\micro
soft\windows\currentversionpolicies\system
DontDisplayLastUserName = REG_DWORD 1

*****Option 3: Use Policies *****


You can also distribute registry changes by creating system policies that manipulate the registries of target users. The process you use varies between Windows 2000 (which uses the Microsoft Management Console—MMC—GPE snap-in) and earlier versions of Windows (which use SPE), but in either case, you can build administration (.adm) files to send registry changes to selected computers.

The easiest way to create an .adm file is to use an existing .adm template as a starting point. Templates are text files, and you can open them in Notepad or any text editor. Before you do anything with existing templates, back up the originals. When you modify a template, save the new version with a new filename, even if you've backed up the original. And you must test your new .adm files in a lab environment before you unleash your creation on the enterprise. (See Reader to Reader, ".adm Files and the Headaches They Can Cause," October 1999, for a description of the consequences you might face if you ignore this advice.)

Of course, to implement a registry change through an .adm template, you need to know which registry key to target. The resource kits' registry documentation is rather sparse. To learn my way around the registry, I used a lab environment to plunge in and make system changes with existing policies and Control Panel applets. I used Sysinternals' regmon.exe (available from http://www.sysinternals.com ) to track the resulting registry changes. Eventually, I learned quite a bit about the registry's organization and registry entries' data types.


Where are the Administrative Templates (ADM) located?
http://www.jsiinc.com/SUBK/tip5000/rh5052.htm


*****Links*****

HOW TO: Add, Modify, or Delete Registry Subkeys and Values by Using a Registration Entries (.reg) File
http://support.microsoft.com/?kbid=310516


Distributing Registry Changes
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/html/DistributingRegistryChanges.asp


Specify a Script to Run on Startup Shutdown Logon Logoff
http://techsupt.winbatch.com/TS/T000001048F90.html

Ref: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/html/DistributingRegistryChanges.asp
0
 
LVL 10

Assisted Solution

by:Longbow
Longbow earned 125 total points
ID: 12285451
You can use the Pstools Suite from http://www.sysinternals.com
Create a login script with the next syntax :
Psexec.exe -u Administrator -p Password "regedit" /s c:\folder\file.reg

The registry keys will be imported in the user registry with the rights
 for the Administrator permissions, in this case.

Type psexec /? for more options.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 12296580
An .adm file for the use with poledit is (probably) easily created; what exactly are the keys you want to change, which data should they have, which types are the values?
0
 
LVL 1

Expert Comment

by:troops993
ID: 12316900
Below is an adm i created to change requested registry keys.

Hopefully you can see what is going on. If not post the Reg keys that you need to change and one of us will create an adm for you to import to AD.

Regards

|-------------------------------------------------ADM BELOW---------------------------------------------------|
CLASS MACHINE

CATEGORY !!SystemCat

      CATEGORY !!USBServicesCat

            POLICY !!USBMassStorage

                  KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
                  #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                  #endif

                  #if version >= 3
                        EXPLAIN !!USBStorageCfg_Help
                  #endif                  


                  VALUENAME "Start"
                        VALUEOFF NUMERIC 3
                        VALUEON NUMERIC 4

            END POLICY
END CATEGORY ;; USBServicesCat
[Strings]
SystemCat="System"
USBMassStorage="Disable Access to USB Storage Devices"
SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"
PowerCfg_Help=" Disables the Power Config"
USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading"
|-------------------------------------------------ADM END---------------------------------------------------|
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now