?
Solved

Group Policy best practice for startup scripts

Posted on 2013-05-15
5
Medium Priority
?
645 Views
Last Modified: 2013-05-22
Two questions:

1. Startup Script
In a batch (.bat) file do I need to specify the the whole path to call .reg files setting.

regedit.exe /s /f  "\\xx.domain.xx\SysVol\xx.more.xxx\Policies\{xxx-xxx-xx-xxx-xx}\Machine\Scripts\Startup\myhklm.reg"

Open in new window


or this this ok in the .bat because the file is located in working directory.

regedit.exe /s /f  myhklm.reg

Open in new window


which is the perfered best practice.
 
2. Where should HKEY_CLASSES_ROOT (HKCR) reg fixes be applied.
In the startup script I was thinking?
0
Comment
Question by:DCSIMVT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1500 total points
ID: 39167952
Have you thought about doing this using group policy preferences

http://technet.microsoft.com/en-us/library/cc753092.aspx

Thanks

Mike
0
 

Author Comment

by:DCSIMVT
ID: 39167997
Yes, but I figured it would be easier to update settings on the fly by just modifing the reg file.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1500 total points
ID: 39168083
I've always gone with the first method.  It would also be easy to modify the GP Preferences and then you don't' have to worry about startup scripts.

Test both out in a lab

Thanks

Mike
0
 

Author Comment

by:DCSIMVT
ID: 39169088
I found it would if I did not do the whole path it would not work.

where should HKEY_CLASSES_ROOT (HKCR) be applied startup script??
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39169618
-If I may interfere-

Yes, startup script. I wanted to comment on
>  I figured it would be easier to update settings on the fly by just modifing the reg file.
Not at all. The regfile needs a new logon or (for HKCR and HKLM) even a restart. think of users who only put their computers to sleep - it would no be at all like an on-the-fly-change. With GPPs, you could even enforce such a a change right now using tools like specops gpupdate (http://www.specopssoft.com/documentation/specops-gpupdate-documentation ). It would make on the fly possible.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question