ADMX to allow users to define names of multiple registry keys
I am trying to extend functionality in group policy by creating a ADMX-file that will allow me to define multiple web-sites and for registry keys to be generated based on these names both under HKCU\Software\Microsoft\Wi
I want achieve the following:
- single GPO to define trusted / internal sites for machines that either have enhanced security configuration in IE enabled or disabled
- allow users to add additional sites under trusted / internal sites
- have settings retained when users start machine when not connected to corporate domain
- be able to clean up registry when sites are removed
Attached .vbs script implements correct changes to the registry, but does not help with a good GPO implementation.
I want achieve the following:
- single GPO to define trusted / internal sites for machines that either have enhanced security configuration in IE enabled or disabled
- allow users to add additional sites under trusted / internal sites
- have settings retained when users start machine when not connected to corporate domain
- be able to clean up registry when sites are removed
Attached .vbs script implements correct changes to the registry, but does not help with a good GPO implementation.
'Array of sites to be added to "Local intranet" in IE:
Dim LIntranet(0)
LIntranet(0) = " "
'Array of sites to be added to "Trusted sites" in IE:
Dim TSites(3)
TSites(0) = "microsoft.com"
TSites(1) = "clockware.com"
TSites(2) = "questback.com"
TSites(3) = "training.com"
'Array of sites to be removed:
Dim RSites(0)
RSites(0) = " "
'Loops to add/remove sites:
Dim i, Domains, EscDomains, WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
For i = LBound(LIntranet) To UBound(LIntranet)
Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & LIntranet(i) & "\*"
EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & LIntranet(i) & "\*"
WshShell.RegWrite Domains, "1", "REG_DWORD"
WshShell.RegWrite EscDomains, "1", "REG_DWORD"
Next
For i = LBound(TSites) To UBound(TSites)
Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & TSites(i) & "\*"
EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & TSites(i) & "\*"
WshShell.RegWrite Domains, "2", "REG_DWORD"
WshShell.RegWrite EscDomains, "2", "REG_DWORD"
Next
For i = LBound(RSites) To UBound(RSites)
Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & RSites(i) & "\*"
EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & RSites(i) & "\*"
WshShell.RegWrite Domains, "2", "REG_DWORD"
WshShell.RegWrite EscDomains, "2", "REG_DWORD"
WshShell.RegDelete Domains
WshShell.RegDelete EscDomains
Next
Navdeep
Why are you using a script? I mean is there any roadblock in controlling those configuration using GPOs
ASKER
I set up the script because I could not get a single global GPO to do what I wanted...
This is why I am trying to extend functionality of group policy through an ADMX so that I can do the same as the .vbs in a GPO.
This is why I am trying to extend functionality of group policy through an ADMX so that I can do the same as the .vbs in a GPO.
you can use GPO for this: "site to zone assignment list"
This is located here:
computer configuration (or user)\administrative templates\windows components\Internet Explorer\Internet Control Panel\Security Page
I've take a look at admx files but the domain is processed within the client side Extension to populate domains, but not escdomains. So i supose it could be difficult to create an admx file to do it.
more, longer domains with more than one dot in the name are split in subkeys, so most difficult to write.
more, as domains are keys, i don't think admx can create keys, only values and data.
This is located here:
computer configuration (or user)\administrative templates\windows components\Internet Explorer\Internet Control Panel\Security Page
I've take a look at admx files but the domain is processed within the client side Extension to populate domains, but not escdomains. So i supose it could be difficult to create an admx file to do it.
more, longer domains with more than one dot in the name are split in subkeys, so most difficult to write.
more, as domains are keys, i don't think admx can create keys, only values and data.
ASKER
I have looked at "site to zone assignment list", but it seems to me that this prevents users from adding additional sites, which in our environment is a requirement that they can do...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What is the best way to push script by GPO so that it is stored locally on each machine and applied at login both when on and off corporate network? (This is where I startes to doubt if script was the way to go) In addition, any suggestions on how to improve delete-section of the script so that the key is deleted, not just content?
ASKER
Ended up applying .vbs script I wrote in logon section of GPO, which achieved what I needed, but still feel it as a major weak point that I am unable to achieve this through .admx, but that I guess, is a question for Microsoft...
ASKER
Could not achieve what I wanted due to limitations in .admx, but recieved good input that allowed me to implement solution to resolve issue.