Solved

Deploying a .reg via GPO

Posted on 2006-06-26
15
1,046 Views
Last Modified: 2008-02-01
I have a .reg file that is used to enable all users (not just admins) to be able to manually perform a live update from Symantec. What this does is it makes the update button not 'grayed out'. It works fine by double clicking the .reg on a machine, however, I want to deploy this to only certain OU's via Group Policy. I know there has to be a way to do this. Here is what it looks like ...

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager]
"EnableAllUsers"=dword:00000001

With the above, it works fine when launched on the local machine. It makes that proper modification to the registry and the Symantec update button is not 'grayed out' while using a non admin account.

I just need to know how to get this .reg file applied via a GPO.

Thanks
0
Comment
Question by:wadehood
15 Comments
 
LVL 7

Expert Comment

by:ingetic
ID: 16988127
you can add it simply at startup script with GPO for computers,
use REGEDIT /s /i file.reg in a batch file

or modify the registry with vbs (more simple)
0
 
LVL 13

Expert Comment

by:itcoza
ID: 16988134
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16989200
take a look at the NUTS package, it converts .reg to ADM's
http://yizhar.mvps.org/

either that or do some reading on the ADM language
0
 
LVL 16

Expert Comment

by:kshays
ID: 16991990
Use a .ADM file that will be placed inside your windows\inf directory.

CLASS MACHINE
  CATEGORY !!Desc
    POLICY "Set a title here"
    EXPLAIN !!Set_RegSetting
    KEYNAME "SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager"
    PART "Choose a setting:"  EDITTEXT REQUIRED
      VALUENAME "EnableAllUsers"
    END PART

    END POLICY

  END CATEGORY

  [strings]
  Desc="Give it a description here"
  SetRegSetting="Sets the registry setting."



Here is a small example of a adm file I created to push out IE settings.

-- start --
CLASS USER
  CATEGORY !!Desc
    POLICY "Sets internet explorer proxy settings."
      EXPLAIN !!Set_Proxy
        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"

          PART "Choose a proxy setting:"  EDITTEXT REQUIRED
            VALUENAME "ProxyServer"
          END PART

    END POLICY

    POLICY !!Use_IE_Proxy
      EXPLAIN "Set to enable if you wish to force the client to use this proxy setting"
        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"

          PART "Force client to use proxy." CHECKBOX DEFCHECKED
            VALUENAME "ProxyEnable"
          VALUEON "1"
            VALUEOFF "0"
          END PART

    END POLICY


    POLICY !!Proxy_Override
      EXPLAIN "Override Proxy for IP based addresses."
        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"

          PART "Choose a proxy setting:"  EDITTEXT REQUIRED
            VALUENAME "ProxyOverride"
          END PART

    END POLICY


  END CATEGORY

  [strings]
  Desc="Override IE Proxy Settings"
  Pol="Sets IE proxy settings"
  Set_Proxy="Sets the proxy settings in IE."
  Use_IE_Proxy="Force IE Proxy to be used on client"
  Proxy_Override="Override the proxy for these IP addresses."

-- end --


I think that should do, if not you can look at the one I did above and modify it to fit your needs.

regards,

kshays
0
 
LVL 16

Expert Comment

by:kshays
ID: 16992005
EXPLAIN !!Set_RegSetting

This should read as follows:  EXPLAIN !!SetRegSetting
0
 

Author Comment

by:wadehood
ID: 16993106
Looks like a .ADM file will do the trick. However, if I want to apply this to only laptops, and not desktops, is there a way to do this easliy? Some users have two machines. I want this feature enable only on the laptops so that when they are away from my SAV server, they can update their def's without having to use an admin account.
0
 
LVL 16

Expert Comment

by:kshays
ID: 16993249
Create an OU and move those laptops into that OU then link the GPO to the laptops OU.

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:wadehood
ID: 16993306
kshays and all,

Thanks for the help. Is there a way to apply the .adm file? I know there is a way, can someone put me to a website or give me step by step.

Thanks
0
 
LVL 16

Expert Comment

by:kshays
ID: 16993338
once you are editing the gpo under the computer configuration right click on the administrative templates and select to add adm template.  Make sure you place the .adm file in the windows/inf folder first though.  Once that is done you might have to click on view and either check or uncheck both options so you can see all settings.  If you want specific steps I can provide them, but you should be able to handle it after you right click on the administrative template folder and add the adm file.

No problems, anytime.

kshays
0
 

Author Comment

by:wadehood
ID: 16993563
kshays,

Cool, I understand how to apply the .adm via the administrative templates. I think my .adm file is wrong though. I took the .reg file and used a conversion tool. It is by NUTS and this is what it converted it to. Does this look right to you? By looking at the .reg file in my first post, does this look correct? I ask because you seem to know your .ADM stuff, which is totally cool since I am brand new to this stuff. If the GPO works correctly, I should be able to see the change in the registry, right?

CLASS MACHINE

CATEGORY "SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager"
KEYNAME "SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager"

 POLICY "EnableAllUsers"
  PART "EnableAllUsers"
  NUMERIC
  VALUENAME "EnableAllUsers"
  END PART
 END POLICY

END CATEGORY
0
 
LVL 16

Accepted Solution

by:
kshays earned 125 total points
ID: 16993748
Hmm, at first glance there are a couple of things I would do different.

Just a suggestion.

CLASS MACHINE
  CATEGORY "Lan Desk Settings"
    POLICY "Sets Pattern Manager for Users"
    EXPLAIN "Give a brief description of how to use the policy and what this policy is for."
    KEYNAME "SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager"
      PART "Force users on PatternManager." CHECKBOX DEFCHECKED
        VALUENAME "EnableAllUsers"
      VALUEON "1"
        VALUEOFF "0"
      END PART
    END POLICY
  END CATEGORY

Try that one and see if it works for you.  It's just a checkbox you can check if you want them to enable it or not.

The other one looks like it would work, but I like to be more descriptive though.  If it doesn't work I might have left a " out of place.  I double checked it, but I could always overlook something though. :)

kshays
0
 

Author Comment

by:wadehood
ID: 16994769
kshays,

Man, I am struggling on this one. Let me see if I am doing things right. I take this adm file and put it into the windows\inf folder. I then go to the GPMC and create a new gpo. In that gpo, i go to computer configuration-->administrative templates, right click and say add new template. I add the template that I just put in the windows\inf folder and close. I then apply the template to the laptop ou.

Does this sound right?

Maybe my .adm file is not quite right. I tried mine and yours. It seems that if it was working that it would show up in the registry under

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager]
"EnableAllUsers"=dword:00000001

The above is the .reg file. It does not look that hard to me, however, me being new to this, what do I know.

Thanks in advance for your help!
0
 
LVL 16

Expert Comment

by:kshays
ID: 16994864
I think we've all been there at some point :)

What did you name your adm file?  Landesk.adm is an example.

Sounds correct so far.

While you still have the administrative templates still highlighed click on "view/filtering".  Make sure both check boxes are unchecked at the bottom where it says "only show configured policy settings and only show policy settings that can be fully managed."

The last one needs to be unchecked for sure, because the registry setting cannot be fully managed according to the group policy for some reason.  Once you do that then you should see your new created "category" under the administrative templates now.

You have moved a test laptop in the laptop OU correct?  What OS is running on the laptop?  If it's XP with sp2 then disable the firewall for the time being so it will not hinder the group policy propagation to it.

Once you move the laptops in the OU login to the laptop and then click on "start/run/gpupdate /force" and then reboot.
You should see the entry in the registry the next time you login to the laptop.

kshays

0
 

Author Comment

by:wadehood
ID: 16995449
kshays!!!!!!!!!!

You are the BOMB!!! Worked fine, I was missing the "view/filtering" which was not letting me enable the gpo setting. Once I did that, I saw where your box was for enable/disable.
I want to say thank you very much and I hope we can continue to work together on stuff like this.
Thanks!
0
 
LVL 16

Expert Comment

by:kshays
ID: 16995494
Sweet !
Thanks :)  I try anyway.

Anyway, you are very welcome.  I'm glad you got it working :)
I'm sure we'll meet up again.

No problem, have a good day :)

Kevin
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now