Solved

Deploying a .reg via GPO

Posted on 2006-06-26
15
1,051 Views
Last Modified: 2008-02-01
I have a .reg file that is used to enable all users (not just admins) to be able to manually perform a live update from Symantec. What this does is it makes the update button not 'grayed out'. It works fine by double clicking the .reg on a machine, however, I want to deploy this to only certain OU's via Group Policy. I know there has to be a way to do this. Here is what it looks like ...

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager]
"EnableAllUsers"=dword:00000001

With the above, it works fine when launched on the local machine. It makes that proper modification to the registry and the Symantec update button is not 'grayed out' while using a non admin account.

I just need to know how to get this .reg file applied via a GPO.

Thanks
0
Comment
Question by:wadehood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 7

Expert Comment

by:ingetic
ID: 16988127
you can add it simply at startup script with GPO for computers,
use REGEDIT /s /i file.reg in a batch file

or modify the registry with vbs (more simple)
0
 
LVL 13

Expert Comment

by:itcoza
ID: 16988134
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16989200
take a look at the NUTS package, it converts .reg to ADM's
http://yizhar.mvps.org/

either that or do some reading on the ADM language
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 16

Expert Comment

by:kshays
ID: 16991990
Use a .ADM file that will be placed inside your windows\inf directory.

CLASS MACHINE
  CATEGORY !!Desc
    POLICY "Set a title here"
    EXPLAIN !!Set_RegSetting
    KEYNAME "SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager"
    PART "Choose a setting:"  EDITTEXT REQUIRED
      VALUENAME "EnableAllUsers"
    END PART

    END POLICY

  END CATEGORY

  [strings]
  Desc="Give it a description here"
  SetRegSetting="Sets the registry setting."



Here is a small example of a adm file I created to push out IE settings.

-- start --
CLASS USER
  CATEGORY !!Desc
    POLICY "Sets internet explorer proxy settings."
      EXPLAIN !!Set_Proxy
        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"

          PART "Choose a proxy setting:"  EDITTEXT REQUIRED
            VALUENAME "ProxyServer"
          END PART

    END POLICY

    POLICY !!Use_IE_Proxy
      EXPLAIN "Set to enable if you wish to force the client to use this proxy setting"
        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"

          PART "Force client to use proxy." CHECKBOX DEFCHECKED
            VALUENAME "ProxyEnable"
          VALUEON "1"
            VALUEOFF "0"
          END PART

    END POLICY


    POLICY !!Proxy_Override
      EXPLAIN "Override Proxy for IP based addresses."
        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"

          PART "Choose a proxy setting:"  EDITTEXT REQUIRED
            VALUENAME "ProxyOverride"
          END PART

    END POLICY


  END CATEGORY

  [strings]
  Desc="Override IE Proxy Settings"
  Pol="Sets IE proxy settings"
  Set_Proxy="Sets the proxy settings in IE."
  Use_IE_Proxy="Force IE Proxy to be used on client"
  Proxy_Override="Override the proxy for these IP addresses."

-- end --


I think that should do, if not you can look at the one I did above and modify it to fit your needs.

regards,

kshays
0
 
LVL 16

Expert Comment

by:kshays
ID: 16992005
EXPLAIN !!Set_RegSetting

This should read as follows:  EXPLAIN !!SetRegSetting
0
 

Author Comment

by:wadehood
ID: 16993106
Looks like a .ADM file will do the trick. However, if I want to apply this to only laptops, and not desktops, is there a way to do this easliy? Some users have two machines. I want this feature enable only on the laptops so that when they are away from my SAV server, they can update their def's without having to use an admin account.
0
 
LVL 16

Expert Comment

by:kshays
ID: 16993249
Create an OU and move those laptops into that OU then link the GPO to the laptops OU.

0
 

Author Comment

by:wadehood
ID: 16993306
kshays and all,

Thanks for the help. Is there a way to apply the .adm file? I know there is a way, can someone put me to a website or give me step by step.

Thanks
0
 
LVL 16

Expert Comment

by:kshays
ID: 16993338
once you are editing the gpo under the computer configuration right click on the administrative templates and select to add adm template.  Make sure you place the .adm file in the windows/inf folder first though.  Once that is done you might have to click on view and either check or uncheck both options so you can see all settings.  If you want specific steps I can provide them, but you should be able to handle it after you right click on the administrative template folder and add the adm file.

No problems, anytime.

kshays
0
 

Author Comment

by:wadehood
ID: 16993563
kshays,

Cool, I understand how to apply the .adm via the administrative templates. I think my .adm file is wrong though. I took the .reg file and used a conversion tool. It is by NUTS and this is what it converted it to. Does this look right to you? By looking at the .reg file in my first post, does this look correct? I ask because you seem to know your .ADM stuff, which is totally cool since I am brand new to this stuff. If the GPO works correctly, I should be able to see the change in the registry, right?

CLASS MACHINE

CATEGORY "SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager"
KEYNAME "SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager"

 POLICY "EnableAllUsers"
  PART "EnableAllUsers"
  NUMERIC
  VALUENAME "EnableAllUsers"
  END PART
 END POLICY

END CATEGORY
0
 
LVL 16

Accepted Solution

by:
kshays earned 125 total points
ID: 16993748
Hmm, at first glance there are a couple of things I would do different.

Just a suggestion.

CLASS MACHINE
  CATEGORY "Lan Desk Settings"
    POLICY "Sets Pattern Manager for Users"
    EXPLAIN "Give a brief description of how to use the policy and what this policy is for."
    KEYNAME "SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager"
      PART "Force users on PatternManager." CHECKBOX DEFCHECKED
        VALUENAME "EnableAllUsers"
      VALUEON "1"
        VALUEOFF "0"
      END PART
    END POLICY
  END CATEGORY

Try that one and see if it works for you.  It's just a checkbox you can check if you want them to enable it or not.

The other one looks like it would work, but I like to be more descriptive though.  If it doesn't work I might have left a " out of place.  I double checked it, but I could always overlook something though. :)

kshays
0
 

Author Comment

by:wadehood
ID: 16994769
kshays,

Man, I am struggling on this one. Let me see if I am doing things right. I take this adm file and put it into the windows\inf folder. I then go to the GPMC and create a new gpo. In that gpo, i go to computer configuration-->administrative templates, right click and say add new template. I add the template that I just put in the windows\inf folder and close. I then apply the template to the laptop ou.

Does this sound right?

Maybe my .adm file is not quite right. I tried mine and yours. It seems that if it was working that it would show up in the registry under

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager]
"EnableAllUsers"=dword:00000001

The above is the .reg file. It does not look that hard to me, however, me being new to this, what do I know.

Thanks in advance for your help!
0
 
LVL 16

Expert Comment

by:kshays
ID: 16994864
I think we've all been there at some point :)

What did you name your adm file?  Landesk.adm is an example.

Sounds correct so far.

While you still have the administrative templates still highlighed click on "view/filtering".  Make sure both check boxes are unchecked at the bottom where it says "only show configured policy settings and only show policy settings that can be fully managed."

The last one needs to be unchecked for sure, because the registry setting cannot be fully managed according to the group policy for some reason.  Once you do that then you should see your new created "category" under the administrative templates now.

You have moved a test laptop in the laptop OU correct?  What OS is running on the laptop?  If it's XP with sp2 then disable the firewall for the time being so it will not hinder the group policy propagation to it.

Once you move the laptops in the OU login to the laptop and then click on "start/run/gpupdate /force" and then reboot.
You should see the entry in the registry the next time you login to the laptop.

kshays

0
 

Author Comment

by:wadehood
ID: 16995449
kshays!!!!!!!!!!

You are the BOMB!!! Worked fine, I was missing the "view/filtering" which was not letting me enable the gpo setting. Once I did that, I saw where your box was for enable/disable.
I want to say thank you very much and I hope we can continue to work together on stuff like this.
Thanks!
0
 
LVL 16

Expert Comment

by:kshays
ID: 16995494
Sweet !
Thanks :)  I try anyway.

Anyway, you are very welcome.  I'm glad you got it working :)
I'm sure we'll meet up again.

No problem, have a good day :)

Kevin
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question