Windows server 2008r2 Registry Change via 2008r2 GPO not working
Hi,
In a 2008r2 Active Directory environnement , I'm doing a GPO named BasicServerGPO for every 2008r2 server on my domain. The GPO is linked to the good OU in which all my servers are. The gpo is enabled with all defaults options.
Basically, I just want to add the computer icon on the desktop of every servers we have. I want to do it via a GPO registry change and not a login script.
The GPO I've done is doing this:
Computer configuration - Preferences - Windows Settings - Registry :
Action: Update
Hive: Hkey_current_user
Key path: Software\Microsoft\Windows
Value name:
{20D04FE0-3AEA-1069-A2D8-0
Value type: REG_DWORD
Value Data: 00000000
At 00000000, when doing it manually on a server regedit mmc, the computer icon appears on the desktop.But, when I try to push the registry change via a GPO, it's not working.
What is missing?
Thx
In a 2008r2 Active Directory environnement , I'm doing a GPO named BasicServerGPO for every 2008r2 server on my domain. The GPO is linked to the good OU in which all my servers are. The gpo is enabled with all defaults options.
Basically, I just want to add the computer icon on the desktop of every servers we have. I want to do it via a GPO registry change and not a login script.
The GPO I've done is doing this:
Computer configuration - Preferences - Windows Settings - Registry :
Action: Update
Hive: Hkey_current_user
Key path: Software\Microsoft\Windows
Value name:
{20D04FE0-3AEA-1069-A2D8-0
Value type: REG_DWORD
Value Data: 00000000
At 00000000, when doing it manually on a server regedit mmc, the computer icon appears on the desktop.But, when I try to push the registry change via a GPO, it's not working.
What is missing?
Thx
Darius Ghassem
Are you deploying to Computers not to users right?
ASKER
Yes, Im deploying to computer
Run gpresult
ASKER
Here it is ....I've omitted confidential information with XXXXXXX
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 2/9/2012 at 11:26:53 AM
RSOP data for XXXXXXXXX on XXXXXXXXXXX : Logging Mode
--------------------------
OS Configuration: Member Server
OS Version: 6.1.7601
Site Name: XXXXXXXXXX
Roaming Profile: N/A
Local Profile: C:\Users\XXXXXXX
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=XXXXXXXXXXXX,OU=Win2008
Last time Group Policy was applied: 2/9/2012 at 11:12:19 AM
Group Policy was applied from: XXXXXXXX.XXXXXXXx.XXXXXXXX
Group Policy slow link threshold: 500 kbps
Domain Name: XXXXXXXXXXXX
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
GPOBasic
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
--------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
XXXXXXXXXXXX
Domain Computers
System Mandatory Level
Resultant Set Of Policies for Computer
--------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 42
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 1
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: N/A
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 24
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 7
Audit Policy
------------
N/A
User Rights
-----------
N/A
Security Options
----------------
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: RequireLogonToChangePasswo
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: LSAAnonymousNameLookup
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: @wsecedit.dll,-59058
ValueName: MACHINE\System\CurrentCont
NoLMHash
Computer Setting: 1
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
USER SETTINGS
--------------
CN=XXXXXXXX,CN=Users,DC=XX
Last time Group Policy was applied: 2/9/2012 at 11:12:19 AM
Group Policy was applied from: XXXXXXXXXXXXXXXX
Group Policy slow link threshold: 500 kbps
Domain Name: XXXXXXXXXXXXXXXX
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
N/A
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
Default Domain Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
--------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Domain Admins
Group Policy Creator Owners
Schema Admins
Enterprise Admins
Denied RODC Password Replication Group
High Mandatory Level
The user has the following security privileges
--------------------------
Bypass traverse checking
Increase a process working set
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Resultant Set Of Policies for User
--------------------------
Software Installations
----------------------
N/A
Logon Scripts
-------------
N/A
Logoff Scripts
--------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
--------------------------
N/A
Internet Explorer Connection
--------------------------
N/A
Internet Explorer URLs
----------------------
N/A
Internet Explorer Security
--------------------------
N/A
Internet Explorer Programs
--------------------------
N/A
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 2/9/2012 at 11:26:53 AM
RSOP data for XXXXXXXXX on XXXXXXXXXXX : Logging Mode
--------------------------
OS Configuration: Member Server
OS Version: 6.1.7601
Site Name: XXXXXXXXXX
Roaming Profile: N/A
Local Profile: C:\Users\XXXXXXX
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=XXXXXXXXXXXX,OU=Win2008
Last time Group Policy was applied: 2/9/2012 at 11:12:19 AM
Group Policy was applied from: XXXXXXXX.XXXXXXXx.XXXXXXXX
Group Policy slow link threshold: 500 kbps
Domain Name: XXXXXXXXXXXX
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
GPOBasic
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
--------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
XXXXXXXXXXXX
Domain Computers
System Mandatory Level
Resultant Set Of Policies for Computer
--------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 42
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 1
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: N/A
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 24
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 7
Audit Policy
------------
N/A
User Rights
-----------
N/A
Security Options
----------------
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: RequireLogonToChangePasswo
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: LSAAnonymousNameLookup
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: @wsecedit.dll,-59058
ValueName: MACHINE\System\CurrentCont
NoLMHash
Computer Setting: 1
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
USER SETTINGS
--------------
CN=XXXXXXXX,CN=Users,DC=XX
Last time Group Policy was applied: 2/9/2012 at 11:12:19 AM
Group Policy was applied from: XXXXXXXXXXXXXXXX
Group Policy slow link threshold: 500 kbps
Domain Name: XXXXXXXXXXXXXXXX
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
N/A
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
Default Domain Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
--------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Domain Admins
Group Policy Creator Owners
Schema Admins
Enterprise Admins
Denied RODC Password Replication Group
High Mandatory Level
The user has the following security privileges
--------------------------
Bypass traverse checking
Increase a process working set
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Resultant Set Of Policies for User
--------------------------
Software Installations
----------------------
N/A
Logon Scripts
-------------
N/A
Logoff Scripts
--------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
--------------------------
N/A
Internet Explorer Connection
--------------------------
N/A
Internet Explorer URLs
----------------------
N/A
Internet Explorer Security
--------------------------
N/A
Internet Explorer Programs
--------------------------
N/A
Well says that there isn't a registry key gpo in the Default Domain Policy.
Registry Settings
-----------------
N/A
Are you adding a new policy or putting the GP setting in the Default Domain Policy
Registry Settings
-----------------
N/A
Are you adding a new policy or putting the GP setting in the Default Domain Policy
ASKER
I'm adding a new policy:
Applied Group Policy Objects
--------------------------
GPOBasic <-------this one here is supposed to make the registry change
Default Domain Policy
See attached files. Maybe I'm trying to do the registry change at the wrong place.
Sans-titre.png
Applied Group Policy Objects
--------------------------
GPOBasic <-------this one here is supposed to make the registry change
Default Domain Policy
See attached files. Maybe I'm trying to do the registry change at the wrong place.
Sans-titre.png
Are you on Windows 2008 Server creating the registry GPO?
ASKER
Yes, the DC is running on 2008 server R2 standard, and I'm making the GPO on it.
All other servers (i would want the registry change on) are also running 2008 server r2 and are on the domain.
All other servers (i would want the registry change on) are also running 2008 server r2 and are on the domain.
Are going through GPMC? Not applying to GPO at all. At what level are you apply GPO at?
ASKER
I'm going throught Group policy Management on the DC . I'm linking the GPO to a specific OU that contains my servers computer. I've included additionnal screenshots.
Sans-titre2.png
Sans-titre2.png
Looks good but the server you have gpresult has no information about registry key being added.
ASKER
I agree,
but the Gpresult also show that my GPO is applied to the server:
Applied Group Policy Objects
--------------------------
GPOBasic
Default Domain Policy
Maybe a permission issue? Or maybe something else is missing?
but the Gpresult also show that my GPO is applied to the server:
Applied Group Policy Objects
--------------------------
GPOBasic
Default Domain Policy
Maybe a permission issue? Or maybe something else is missing?
Did you close the GPMC editor? I alwasy find myself making changes and leaving the editor open before figuring out why my policy changes didn't take affect. I go 1 step further and just close the GPMC all together. If that's not it, then maybe your changes haven't replicated?
And I'm sure you know this, but run GPupdate /force after than and a reboot to the machine may be needed.
And I'm sure you know this, but run GPupdate /force after than and a reboot to the machine may be needed.
Right the GPO is created but the configuration is not applying or in the GPO you would see that even if you didn't have permissions there is an area in gpresult with the permission information
Agreed. This is indeed a computer policy that is applied when the computer (in this case the server) is booted, not during user login.
Writing that down, i wondered: Is there actually a HKCU available at the moment the GPO is applied? Seems to me that if u want the Computer visible on the USER desktop, shouldn't that be in the USER settings of the policy?
KG
Writing that down, i wondered: Is there actually a HKCU available at the moment the GPO is applied? Seems to me that if u want the Computer visible on the USER desktop, shouldn't that be in the USER settings of the policy?
KG
ASKER
I've found a good article on how to create GPO for custom registry entries here :
http://www.unidesk.com/blog/gpos-set-custom-registry-entries-virtual-desktops-disabling-machine-password
Sadly, it is exactly how i've made mine. So I guess i was doing it right. It must block somewhere else. I've asked my higher IT guy to check our ACL. I guess it could be a blocked GPO port or something like that.
I've ask him to look for these specifics ports that gpo are using:
DCOM¹ TCP + UDP random port number between 1024 - 65535
random port number between 49152 - 65535²
ICMP (ping) ICMP for slow-link detection
LDAP TCP 389
SMB TCP 445
RPC TCP 135, random port number between 1024 - 65535*
http://www.unidesk.com/blog/gpos-set-custom-registry-entries-virtual-desktops-disabling-machine-password
Sadly, it is exactly how i've made mine. So I guess i was doing it right. It must block somewhere else. I've asked my higher IT guy to check our ACL. I guess it could be a blocked GPO port or something like that.
I've ask him to look for these specifics ports that gpo are using:
DCOM¹ TCP + UDP random port number between 1024 - 65535
random port number between 49152 - 65535²
ICMP (ping) ICMP for slow-link detection
LDAP TCP 389
SMB TCP 445
RPC TCP 135, random port number between 1024 - 65535*
ASKER
Ok , to bypass possible ACL security problem, i've applied the gpo directly on the DC. And it was still not working. So I know now that it 's not a port problem.
Turns out I was making a CU registry change in a Computer config registry GPP on a OU containing computer.
I've cut/paste de CU registry change from computer configuration in the user configuration GPP.
I've done a new OU that is populated by users.
I've applied the new GPO to the new user, and it worked.
So , conclusion, I cannot modify a Hkey_current_user registry key, with a computer GPO preference linked on a OU populated by computers. I was not aware of that. Can any of you confirm that?
Thx
Turns out I was making a CU registry change in a Computer config registry GPP on a OU containing computer.
I've cut/paste de CU registry change from computer configuration in the user configuration GPP.
I've done a new OU that is populated by users.
I've applied the new GPO to the new user, and it worked.
So , conclusion, I cannot modify a Hkey_current_user registry key, with a computer GPO preference linked on a OU populated by computers. I was not aware of that. Can any of you confirm that?
Thx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.