ADMX to allow users to define names of multiple registry keys

I am trying to extend functionality in group policy by creating a ADMX-file that will allow me to define multiple web-sites and for registry keys to be generated based on these names both under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ and HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\.

I want achieve the following:
- single GPO to define trusted / internal sites for machines that either have enhanced security configuration in IE enabled or disabled
- allow users to add additional sites under trusted / internal sites
- have settings retained when users start machine when not connected to corporate domain
- be able to clean up registry when sites are removed

Attached .vbs script implements correct changes to the registry, but does not help with a good GPO implementation.

 
'Array of sites to be added to "Local intranet" in IE:

Dim LIntranet(0)
LIntranet(0) = " "


'Array of sites to be added to "Trusted sites" in IE:

Dim TSites(3)
TSites(0) = "microsoft.com"
TSites(1) = "clockware.com"
TSites(2) = "questback.com"
TSites(3) = "training.com"


'Array of sites to be removed:

Dim RSites(0)
RSites(0) = " "


'Loops to add/remove sites:

Dim i, Domains, EscDomains, WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
For i = LBound(LIntranet) To UBound(LIntranet)
   Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & LIntranet(i) & "\*"
   EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & LIntranet(i) & "\*"
   WshShell.RegWrite Domains, "1", "REG_DWORD"
   WshShell.RegWrite EscDomains, "1", "REG_DWORD"
Next
For i = LBound(TSites) To UBound(TSites)
   Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & TSites(i) & "\*"
   EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & TSites(i) & "\*"
   WshShell.RegWrite Domains, "2", "REG_DWORD"
   WshShell.RegWrite EscDomains, "2", "REG_DWORD"
Next
For i = LBound(RSites) To UBound(RSites)
   Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & RSites(i) & "\*"
   EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & RSites(i) & "\*"
   WshShell.RegWrite Domains, "2", "REG_DWORD"
   WshShell.RegWrite EscDomains, "2", "REG_DWORD"
   WshShell.RegDelete Domains
   WshShell.RegDelete EscDomains
Next

Open in new window

2ThraneAsked:
Who is Participating?
 
TasmantConnect With a Mentor Commented:
as soon as you use gpo this prevent users to configure settings themselves.
so gpo isn't the right way to achieve what you want to do, but script is fine :)
0
 
NavdeepCommented:
Why are you using a script? I mean is there any roadblock in controlling those configuration using GPOs
0
 
2ThraneAuthor Commented:
I set up the script because I could not get a single global GPO to do what I wanted...
This is why I am trying to extend functionality of group policy through an ADMX so that I can do the same as the .vbs in a GPO.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
TasmantCommented:
you can use GPO for this: "site to zone assignment list"
This is located here:
computer configuration (or user)\administrative templates\windows components\Internet Explorer\Internet Control Panel\Security Page

I've take a look at admx files but the domain is processed within the client side Extension to populate domains, but not escdomains. So i supose it could be difficult to create an admx file to do it.
more, longer domains with more than one dot in the name are split in subkeys, so most difficult to write.
more, as domains are keys, i don't think admx can create keys, only values and data.
0
 
2ThraneAuthor Commented:
I have looked at  "site to zone assignment list", but it seems to me that this prevents users from adding additional sites, which in our environment is a requirement that they can do...
0
 
2ThraneAuthor Commented:
What is the best way to push script by GPO so that it is stored locally on each machine and applied at login both when on and off corporate network? (This is where I startes to doubt if script was the way to go) In addition, any suggestions on how to improve delete-section of the script so that the key is deleted, not just content?
0
 
2ThraneAuthor Commented:
Ended up applying .vbs script I wrote in logon section of GPO, which achieved what I needed, but still feel it as a major weak point that I am unable to achieve this through .admx, but that I guess, is a question for Microsoft...
0
 
2ThraneAuthor Commented:
Could not achieve what I wanted due to limitations in .admx, but recieved good input that allowed me to implement solution to resolve issue.
0
All Courses

From novice to tech pro — start learning today.