Import registry key via Group Policy

Posted on 2011-05-11
Last Modified: 2012-06-27

I am trying to import two registry key in the Startup selection (Computer Configuration/Windows Settings/Scripts (Startup/Shutdown)) . One of the registry keys import, however the secord does not.I have used the following command in a .cmd and .bat file
regedit /s file.reg
The problem selection is   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders  and adding: credssp.dll. This is to enable Network Level Authentication
To manual  import  this registry key I require local admin . I believe that script executed in the Startup and Shutdown selection of group policy run under the LocalSystem account, which does not have the required privileges. I also created a custom administrative template files.
the "group policy modeling tool" show the script file and custom administrative templete The questions i have is it possiable to execute a startup script using different users for elevated permissions (runas)? Is this registry selection   "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders"  prevented from  been change at startup?
is there anyway to run as the "SYSTEM"?
Do you have any suggustions or other ways to run a startup script with higher privileges?
Question by:bradq3232

    Author Comment

    Also the client OS is Windows XP SP3 and the server operating system is Windows server 2003
    LVL 38

    Accepted Solution

    You would have to use the runas command in the script itself to run the command as a specific user. The difficulty in this is that the password for the account has to be written out in the script, which is not encrypted, so it becomes a bit of a security issue. Setting the registry modification up as an Administrative Template *should* allow the registry setting to bypass the need for permissions. However, if it doesn't work properly, there is another method for deploying registry modifications in Windows 2003. You can do this by properly modifying the sceregvl.inf file, which is used to control the Windows Security Options in Group Policy. has some more specific information and instructions on how to do this.
    LVL 38

    Expert Comment

    by:Adam Brown
    I should also note that if you use the sceregvl.inf technique, you only need to make the modifications on the system you are making GPO modifications from. Client systems do not need to have these modifications in their sceregvl.inf files to understand a GPO that is written with the modified file.
    LVL 41

    Expert Comment

    First of all, running startup or shutdown scripts happens in the localsystem context, so permissions are there. I run startup and shutdown scripts when I need my scripts to run as an administrator. That said, UAC might cause problems (I don't know either way). A better way to modify the registry is to use group policy preferences.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now