Solved

ADMX to allow users to define names of multiple registry keys

Posted on 2011-03-18
8
1,047 Views
Last Modified: 2012-08-14
I am trying to extend functionality in group policy by creating a ADMX-file that will allow me to define multiple web-sites and for registry keys to be generated based on these names both under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ and HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\.

I want achieve the following:
- single GPO to define trusted / internal sites for machines that either have enhanced security configuration in IE enabled or disabled
- allow users to add additional sites under trusted / internal sites
- have settings retained when users start machine when not connected to corporate domain
- be able to clean up registry when sites are removed

Attached .vbs script implements correct changes to the registry, but does not help with a good GPO implementation.

 
'Array of sites to be added to "Local intranet" in IE:

Dim LIntranet(0)
LIntranet(0) = " "


'Array of sites to be added to "Trusted sites" in IE:

Dim TSites(3)
TSites(0) = "microsoft.com"
TSites(1) = "clockware.com"
TSites(2) = "questback.com"
TSites(3) = "training.com"


'Array of sites to be removed:

Dim RSites(0)
RSites(0) = " "


'Loops to add/remove sites:

Dim i, Domains, EscDomains, WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
For i = LBound(LIntranet) To UBound(LIntranet)
   Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & LIntranet(i) & "\*"
   EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & LIntranet(i) & "\*"
   WshShell.RegWrite Domains, "1", "REG_DWORD"
   WshShell.RegWrite EscDomains, "1", "REG_DWORD"
Next
For i = LBound(TSites) To UBound(TSites)
   Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & TSites(i) & "\*"
   EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & TSites(i) & "\*"
   WshShell.RegWrite Domains, "2", "REG_DWORD"
   WshShell.RegWrite EscDomains, "2", "REG_DWORD"
Next
For i = LBound(RSites) To UBound(RSites)
   Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & RSites(i) & "\*"
   EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & RSites(i) & "\*"
   WshShell.RegWrite Domains, "2", "REG_DWORD"
   WshShell.RegWrite EscDomains, "2", "REG_DWORD"
   WshShell.RegDelete Domains
   WshShell.RegDelete EscDomains
Next

Open in new window

0
Comment
Question by:2Thrane
  • 5
  • 2
8 Comments
 
LVL 12

Expert Comment

by:Navdeep
ID: 35165342
Why are you using a script? I mean is there any roadblock in controlling those configuration using GPOs
0
 

Author Comment

by:2Thrane
ID: 35165382
I set up the script because I could not get a single global GPO to do what I wanted...
This is why I am trying to extend functionality of group policy through an ADMX so that I can do the same as the .vbs in a GPO.
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35166729
you can use GPO for this: "site to zone assignment list"
This is located here:
computer configuration (or user)\administrative templates\windows components\Internet Explorer\Internet Control Panel\Security Page

I've take a look at admx files but the domain is processed within the client side Extension to populate domains, but not escdomains. So i supose it could be difficult to create an admx file to do it.
more, longer domains with more than one dot in the name are split in subkeys, so most difficult to write.
more, as domains are keys, i don't think admx can create keys, only values and data.
0
 

Author Comment

by:2Thrane
ID: 35168275
I have looked at  "site to zone assignment list", but it seems to me that this prevents users from adding additional sites, which in our environment is a requirement that they can do...
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
ID: 35176000
as soon as you use gpo this prevent users to configure settings themselves.
so gpo isn't the right way to achieve what you want to do, but script is fine :)
0
 

Author Comment

by:2Thrane
ID: 35176983
What is the best way to push script by GPO so that it is stored locally on each machine and applied at login both when on and off corporate network? (This is where I startes to doubt if script was the way to go) In addition, any suggestions on how to improve delete-section of the script so that the key is deleted, not just content?
0
 

Author Comment

by:2Thrane
ID: 35229742
Ended up applying .vbs script I wrote in logon section of GPO, which achieved what I needed, but still feel it as a major weak point that I am unable to achieve this through .admx, but that I guess, is a question for Microsoft...
0
 

Author Closing Comment

by:2Thrane
ID: 35229756
Could not achieve what I wanted due to limitations in .admx, but recieved good input that allowed me to implement solution to resolve issue.
0

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now