Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1078
  • Last Modified:

ADMX to allow users to define names of multiple registry keys

I am trying to extend functionality in group policy by creating a ADMX-file that will allow me to define multiple web-sites and for registry keys to be generated based on these names both under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ and HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\.

I want achieve the following:
- single GPO to define trusted / internal sites for machines that either have enhanced security configuration in IE enabled or disabled
- allow users to add additional sites under trusted / internal sites
- have settings retained when users start machine when not connected to corporate domain
- be able to clean up registry when sites are removed

Attached .vbs script implements correct changes to the registry, but does not help with a good GPO implementation.

 
'Array of sites to be added to "Local intranet" in IE:

Dim LIntranet(0)
LIntranet(0) = " "


'Array of sites to be added to "Trusted sites" in IE:

Dim TSites(3)
TSites(0) = "microsoft.com"
TSites(1) = "clockware.com"
TSites(2) = "questback.com"
TSites(3) = "training.com"


'Array of sites to be removed:

Dim RSites(0)
RSites(0) = " "


'Loops to add/remove sites:

Dim i, Domains, EscDomains, WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
For i = LBound(LIntranet) To UBound(LIntranet)
   Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & LIntranet(i) & "\*"
   EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & LIntranet(i) & "\*"
   WshShell.RegWrite Domains, "1", "REG_DWORD"
   WshShell.RegWrite EscDomains, "1", "REG_DWORD"
Next
For i = LBound(TSites) To UBound(TSites)
   Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & TSites(i) & "\*"
   EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & TSites(i) & "\*"
   WshShell.RegWrite Domains, "2", "REG_DWORD"
   WshShell.RegWrite EscDomains, "2", "REG_DWORD"
Next
For i = LBound(RSites) To UBound(RSites)
   Domains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" & RSites(i) & "\*"
   EscDomains = "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" & RSites(i) & "\*"
   WshShell.RegWrite Domains, "2", "REG_DWORD"
   WshShell.RegWrite EscDomains, "2", "REG_DWORD"
   WshShell.RegDelete Domains
   WshShell.RegDelete EscDomains
Next

Open in new window

0
2Thrane
Asked:
2Thrane
  • 5
  • 2
1 Solution
 
NavdeepCommented:
Why are you using a script? I mean is there any roadblock in controlling those configuration using GPOs
0
 
2ThraneAuthor Commented:
I set up the script because I could not get a single global GPO to do what I wanted...
This is why I am trying to extend functionality of group policy through an ADMX so that I can do the same as the .vbs in a GPO.
0
 
TasmantCommented:
you can use GPO for this: "site to zone assignment list"
This is located here:
computer configuration (or user)\administrative templates\windows components\Internet Explorer\Internet Control Panel\Security Page

I've take a look at admx files but the domain is processed within the client side Extension to populate domains, but not escdomains. So i supose it could be difficult to create an admx file to do it.
more, longer domains with more than one dot in the name are split in subkeys, so most difficult to write.
more, as domains are keys, i don't think admx can create keys, only values and data.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
2ThraneAuthor Commented:
I have looked at  "site to zone assignment list", but it seems to me that this prevents users from adding additional sites, which in our environment is a requirement that they can do...
0
 
TasmantCommented:
as soon as you use gpo this prevent users to configure settings themselves.
so gpo isn't the right way to achieve what you want to do, but script is fine :)
0
 
2ThraneAuthor Commented:
What is the best way to push script by GPO so that it is stored locally on each machine and applied at login both when on and off corporate network? (This is where I startes to doubt if script was the way to go) In addition, any suggestions on how to improve delete-section of the script so that the key is deleted, not just content?
0
 
2ThraneAuthor Commented:
Ended up applying .vbs script I wrote in logon section of GPO, which achieved what I needed, but still feel it as a major weak point that I am unable to achieve this through .admx, but that I guess, is a question for Microsoft...
0
 
2ThraneAuthor Commented:
Could not achieve what I wanted due to limitations in .admx, but recieved good input that allowed me to implement solution to resolve issue.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now