Solved

ADMX to allow users to define names of multiple registry keys

Posted on 2011-03-18
8
1,052 Views
Last Modified: 2012-08-14
I am trying to extend functionality in group policy by creating a ADMX-file that will allow me to define multiple web-sites and for registry keys to be generated based on these names both under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ and HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\.

I want achieve the following:
- single GPO to define trusted / internal sites for machines that either have enhanced security configuration in IE enabled or disabled
- allow users to add additional sites under trusted / internal sites
- have settings retained when users start machine when not connected to corporate domain
- be able to clean up registry when sites are removed

Attached .vbs script implements correct changes to the registry, but does not help with a good GPO implementation.

 
'Array of sites to be added to "Local intranet" in IE:

Dim LIntranet(0)
LIntranet(0) = " "


'Array of sites to be added to "Trusted sites" in IE:

Dim TSites(3)
TSites(0) = "microsoft.com"
TSites(1) = "clockware.com"
TSites(2) = "questback.com"
TSites(3) = "training.com"


'Array of sites to be removed:

Dim RSites(0)
RSites(0) = " "


'Loops to add/remove sites:

Dim i, Domains, EscDomains, WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
For i = LBound(LIntranet) To UBound(LIntranet)
   Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & LIntranet(i) & "\*"
   EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & LIntranet(i) & "\*"
   WshShell.RegWrite Domains, "1", "REG_DWORD"
   WshShell.RegWrite EscDomains, "1", "REG_DWORD"
Next
For i = LBound(TSites) To UBound(TSites)
   Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & TSites(i) & "\*"
   EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & TSites(i) & "\*"
   WshShell.RegWrite Domains, "2", "REG_DWORD"
   WshShell.RegWrite EscDomains, "2", "REG_DWORD"
Next
For i = LBound(RSites) To UBound(RSites)
   Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & RSites(i) & "\*"
   EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & RSites(i) & "\*"
   WshShell.RegWrite Domains, "2", "REG_DWORD"
   WshShell.RegWrite EscDomains, "2", "REG_DWORD"
   WshShell.RegDelete Domains
   WshShell.RegDelete EscDomains
Next

Open in new window

0
Comment
Question by:2Thrane
  • 5
  • 2
8 Comments
 
LVL 12

Expert Comment

by:Navdeep
ID: 35165342
Why are you using a script? I mean is there any roadblock in controlling those configuration using GPOs
0
 

Author Comment

by:2Thrane
ID: 35165382
I set up the script because I could not get a single global GPO to do what I wanted...
This is why I am trying to extend functionality of group policy through an ADMX so that I can do the same as the .vbs in a GPO.
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35166729
you can use GPO for this: "site to zone assignment list"
This is located here:
computer configuration (or user)\administrative templates\windows components\Internet Explorer\Internet Control Panel\Security Page

I've take a look at admx files but the domain is processed within the client side Extension to populate domains, but not escdomains. So i supose it could be difficult to create an admx file to do it.
more, longer domains with more than one dot in the name are split in subkeys, so most difficult to write.
more, as domains are keys, i don't think admx can create keys, only values and data.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:2Thrane
ID: 35168275
I have looked at  "site to zone assignment list", but it seems to me that this prevents users from adding additional sites, which in our environment is a requirement that they can do...
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
ID: 35176000
as soon as you use gpo this prevent users to configure settings themselves.
so gpo isn't the right way to achieve what you want to do, but script is fine :)
0
 

Author Comment

by:2Thrane
ID: 35176983
What is the best way to push script by GPO so that it is stored locally on each machine and applied at login both when on and off corporate network? (This is where I startes to doubt if script was the way to go) In addition, any suggestions on how to improve delete-section of the script so that the key is deleted, not just content?
0
 

Author Comment

by:2Thrane
ID: 35229742
Ended up applying .vbs script I wrote in logon section of GPO, which achieved what I needed, but still feel it as a major weak point that I am unable to achieve this through .admx, but that I guess, is a question for Microsoft...
0
 

Author Closing Comment

by:2Thrane
ID: 35229756
Could not achieve what I wanted due to limitations in .admx, but recieved good input that allowed me to implement solution to resolve issue.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question