Solved

Deploying a .reg via GPO

Posted on 2006-06-26
15
1,047 Views
Last Modified: 2008-02-01
I have a .reg file that is used to enable all users (not just admins) to be able to manually perform a live update from Symantec. What this does is it makes the update button not 'grayed out'. It works fine by double clicking the .reg on a machine, however, I want to deploy this to only certain OU's via Group Policy. I know there has to be a way to do this. Here is what it looks like ...

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager]
"EnableAllUsers"=dword:00000001

With the above, it works fine when launched on the local machine. It makes that proper modification to the registry and the Symantec update button is not 'grayed out' while using a non admin account.

I just need to know how to get this .reg file applied via a GPO.

Thanks
0
Comment
Question by:wadehood
15 Comments
 
LVL 7

Expert Comment

by:ingetic
ID: 16988127
you can add it simply at startup script with GPO for computers,
use REGEDIT /s /i file.reg in a batch file

or modify the registry with vbs (more simple)
0
 
LVL 13

Expert Comment

by:itcoza
ID: 16988134
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16989200
take a look at the NUTS package, it converts .reg to ADM's
http://yizhar.mvps.org/

either that or do some reading on the ADM language
0
 
LVL 16

Expert Comment

by:kshays
ID: 16991990
Use a .ADM file that will be placed inside your windows\inf directory.

CLASS MACHINE
  CATEGORY !!Desc
    POLICY "Set a title here"
    EXPLAIN !!Set_RegSetting
    KEYNAME "SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager"
    PART "Choose a setting:"  EDITTEXT REQUIRED
      VALUENAME "EnableAllUsers"
    END PART

    END POLICY

  END CATEGORY

  [strings]
  Desc="Give it a description here"
  SetRegSetting="Sets the registry setting."



Here is a small example of a adm file I created to push out IE settings.

-- start --
CLASS USER
  CATEGORY !!Desc
    POLICY "Sets internet explorer proxy settings."
      EXPLAIN !!Set_Proxy
        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"

          PART "Choose a proxy setting:"  EDITTEXT REQUIRED
            VALUENAME "ProxyServer"
          END PART

    END POLICY

    POLICY !!Use_IE_Proxy
      EXPLAIN "Set to enable if you wish to force the client to use this proxy setting"
        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"

          PART "Force client to use proxy." CHECKBOX DEFCHECKED
            VALUENAME "ProxyEnable"
          VALUEON "1"
            VALUEOFF "0"
          END PART

    END POLICY


    POLICY !!Proxy_Override
      EXPLAIN "Override Proxy for IP based addresses."
        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"

          PART "Choose a proxy setting:"  EDITTEXT REQUIRED
            VALUENAME "ProxyOverride"
          END PART

    END POLICY


  END CATEGORY

  [strings]
  Desc="Override IE Proxy Settings"
  Pol="Sets IE proxy settings"
  Set_Proxy="Sets the proxy settings in IE."
  Use_IE_Proxy="Force IE Proxy to be used on client"
  Proxy_Override="Override the proxy for these IP addresses."

-- end --


I think that should do, if not you can look at the one I did above and modify it to fit your needs.

regards,

kshays
0
 
LVL 16

Expert Comment

by:kshays
ID: 16992005
EXPLAIN !!Set_RegSetting

This should read as follows:  EXPLAIN !!SetRegSetting
0
 

Author Comment

by:wadehood
ID: 16993106
Looks like a .ADM file will do the trick. However, if I want to apply this to only laptops, and not desktops, is there a way to do this easliy? Some users have two machines. I want this feature enable only on the laptops so that when they are away from my SAV server, they can update their def's without having to use an admin account.
0
 
LVL 16

Expert Comment

by:kshays
ID: 16993249
Create an OU and move those laptops into that OU then link the GPO to the laptops OU.

0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:wadehood
ID: 16993306
kshays and all,

Thanks for the help. Is there a way to apply the .adm file? I know there is a way, can someone put me to a website or give me step by step.

Thanks
0
 
LVL 16

Expert Comment

by:kshays
ID: 16993338
once you are editing the gpo under the computer configuration right click on the administrative templates and select to add adm template.  Make sure you place the .adm file in the windows/inf folder first though.  Once that is done you might have to click on view and either check or uncheck both options so you can see all settings.  If you want specific steps I can provide them, but you should be able to handle it after you right click on the administrative template folder and add the adm file.

No problems, anytime.

kshays
0
 

Author Comment

by:wadehood
ID: 16993563
kshays,

Cool, I understand how to apply the .adm via the administrative templates. I think my .adm file is wrong though. I took the .reg file and used a conversion tool. It is by NUTS and this is what it converted it to. Does this look right to you? By looking at the .reg file in my first post, does this look correct? I ask because you seem to know your .ADM stuff, which is totally cool since I am brand new to this stuff. If the GPO works correctly, I should be able to see the change in the registry, right?

CLASS MACHINE

CATEGORY "SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager"
KEYNAME "SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager"

 POLICY "EnableAllUsers"
  PART "EnableAllUsers"
  NUMERIC
  VALUENAME "EnableAllUsers"
  END PART
 END POLICY

END CATEGORY
0
 
LVL 16

Accepted Solution

by:
kshays earned 125 total points
ID: 16993748
Hmm, at first glance there are a couple of things I would do different.

Just a suggestion.

CLASS MACHINE
  CATEGORY "Lan Desk Settings"
    POLICY "Sets Pattern Manager for Users"
    EXPLAIN "Give a brief description of how to use the policy and what this policy is for."
    KEYNAME "SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager"
      PART "Force users on PatternManager." CHECKBOX DEFCHECKED
        VALUENAME "EnableAllUsers"
      VALUEON "1"
        VALUEOFF "0"
      END PART
    END POLICY
  END CATEGORY

Try that one and see if it works for you.  It's just a checkbox you can check if you want them to enable it or not.

The other one looks like it would work, but I like to be more descriptive though.  If it doesn't work I might have left a " out of place.  I double checked it, but I could always overlook something though. :)

kshays
0
 

Author Comment

by:wadehood
ID: 16994769
kshays,

Man, I am struggling on this one. Let me see if I am doing things right. I take this adm file and put it into the windows\inf folder. I then go to the GPMC and create a new gpo. In that gpo, i go to computer configuration-->administrative templates, right click and say add new template. I add the template that I just put in the windows\inf folder and close. I then apply the template to the laptop ou.

Does this sound right?

Maybe my .adm file is not quite right. I tried mine and yours. It seems that if it was working that it would show up in the registry under

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager]
"EnableAllUsers"=dword:00000001

The above is the .reg file. It does not look that hard to me, however, me being new to this, what do I know.

Thanks in advance for your help!
0
 
LVL 16

Expert Comment

by:kshays
ID: 16994864
I think we've all been there at some point :)

What did you name your adm file?  Landesk.adm is an example.

Sounds correct so far.

While you still have the administrative templates still highlighed click on "view/filtering".  Make sure both check boxes are unchecked at the bottom where it says "only show configured policy settings and only show policy settings that can be fully managed."

The last one needs to be unchecked for sure, because the registry setting cannot be fully managed according to the group policy for some reason.  Once you do that then you should see your new created "category" under the administrative templates now.

You have moved a test laptop in the laptop OU correct?  What OS is running on the laptop?  If it's XP with sp2 then disable the firewall for the time being so it will not hinder the group policy propagation to it.

Once you move the laptops in the OU login to the laptop and then click on "start/run/gpupdate /force" and then reboot.
You should see the entry in the registry the next time you login to the laptop.

kshays

0
 

Author Comment

by:wadehood
ID: 16995449
kshays!!!!!!!!!!

You are the BOMB!!! Worked fine, I was missing the "view/filtering" which was not letting me enable the gpo setting. Once I did that, I saw where your box was for enable/disable.
I want to say thank you very much and I hope we can continue to work together on stuff like this.
Thanks!
0
 
LVL 16

Expert Comment

by:kshays
ID: 16995494
Sweet !
Thanks :)  I try anyway.

Anyway, you are very welcome.  I'm glad you got it working :)
I'm sure we'll meet up again.

No problem, have a good day :)

Kevin
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Removing self-signed Exchange 2007 Certificate 8 79
exchange, windows server 6 55
Question about AD permissions 2 58
DHCP restore question Server 2003 to 2012 3 46
So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Learn about cloud computing and its benefits for small business owners.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now