Solved

Need to deploy a registry setting via Group Policy

Posted on 2007-12-03
13
26,712 Views
Last Modified: 2011-08-18
Need to deploy the following to all of my workstations, was hoping for through Group Policy:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\]
"KeepAliveTime"=dword:00124f80

I ran it through REG to ADM, and got the following:

CLASS MACHINE
CATEGORY "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"
 POLICY "KeepAliveTime"
  PART "KeepAliveTime"
  NUMERIC
  VALUENAME "KeepAliveTime"
  END PART
 END POLICY
END CATEGORY

But when I import the ADM file to a GP object, It just shows on the left side in the tree--no values to configure on the right (I thought I'd see at the very least "Enable / Disable")

Am I missing something stupid?
0
Comment
Question by:dav-i-son
  • 5
  • 3
  • 2
  • +2
13 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 50 total points
ID: 20395379
Distribute Registry Entries via Grop policy

On an Client PC (that has the admin tools installed) set up the registry key as required (HKLM, HKU or HKCR only)
Start > Run > dsa.msc
Launch the policy editor (right click Domain/OU> Properties> Group policy)
Navigate to, Computer configuration > Windows Settings > Security Settings > Registry

Right click in the right hand pane > add Key
Navigate to the key you set up earlier.




How to add, modify, or delete registry subkeys and values by using a registration entries (.reg) file
http://support.microsoft.com/default.aspx?kbid=310516
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20395459
There used to be a nice tool dor doing this the policy maker registry extention but it is no longer available - for other options see http://www.windowsecurity.com/articles/Pushing-Out-Security-Settings-Configured-Registry.html
0
 

Author Comment

by:dav-i-son
ID: 20395650
Pete-

Doesn't that "section" of a GPO just set the security on the key... to use in a case where I want the user to be able to set the _value_  on their own?

When I ran the report on the policy in GPMC, it came up with the security descriptors I set, but didn't mention the value.
0
 

Author Comment

by:dav-i-son
ID: 20395722
KCTS-

PolicyMaker seems to still do the Registry settings (just installed it), but I'll have a tough time getting funding for licensing 600+ PC's just for one little registry setting.  For that, I could do the import just using a script like reg /s keepalive.reg with the contents above in it.

Any other ideas?  Thanks though--you were on a close track, I think
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20395779
The policymaker extention I was refering to used to be free - but it seems to have disappeared -!
0
 

Author Comment

by:dav-i-son
ID: 20395786
Aww, nuts!
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 150 total points
ID: 20396011
In the GPO editor, highlight "Administrative Templates" in the Computer Configuration tree, and choose "Filter" form the View menu. Uncheck "Show only policies that can be fully managed", and you'll find your setting.
Note that this will "brand" or "tattoo" your registry, just as if you would have imported a reg file or set the value manually; it will NOT change/reset to the former value if you delete the GPO!
0
 

Author Comment

by:dav-i-son
ID: 20396110
oBdA-

That worked (to a point)... I need to get the value "1200000" configured.  When I tried to enter that, it said the maximum was 9999, and that it would replace my entry w/ that.  Any way I can get the ADM file I created (or edit the ADM file) to support an entry of 1200000 ?

Thanks in advance!
0
 
LVL 83

Accepted Solution

by:
oBdA earned 150 total points
ID: 20396211
Try this:

CLASS MACHINE

CATEGORY "Configure TCP keep-alive transmissions"

KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"

 POLICY "KeepAliveTime"

  PART "KeepAliveTime"

  NUMERIC

  MIN 1

  MAX 4294967295

  VALUENAME "KeepAliveTime"

  END PART

 END POLICY

END CATEGORY

Open in new window

0
 

Author Comment

by:dav-i-son
ID: 20396309
oBdA-

That did it!

I don't think I have to worry too much about tattooing--I can issue a command to remove the entry, if necessary (as it didn't exist before).

Thanks!

Ken
0
 

Expert Comment

by:youngslim
ID: 24803894
Hey - something obvious just hit me.

Why not download the two MS files - the enable and disable workaround msi's - and do a software install through the group policy? You'd have to restart your pc's, but, unlike scripts, you could see the thing running on reboot. It is another way to skin the cat . . .
0
 

Expert Comment

by:youngslim
ID: 24803902
Oh - I haven't test the above yet - but the enable and disable msi's can be downloaded at
http://support.microsoft.com/kb/972890
which is the consumer link

0
 

Expert Comment

by:youngslim
ID: 24804163
Sorry - posted to wrong open question.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now