?
Solved

Add registry key using GPO

Posted on 2014-01-10
9
Medium Priority
?
1,668 Views
Last Modified: 2014-01-23
I am having some trouble creating a new GPO that will add a registry key to all computers in an organizational unit.

As per this Microsoft KB, adding a registry key corrects a network performance problem we are having at a customer site.  We have tested it by adding the key manually and it works great.  We now need to deploy it to all workstations within an OU.

http://support.microsoft.com/kb/2570623
Method 4. Disable the OFV Add-in by using a registry setting

I created a new GPO, linked it to the appropriate OU and configured it as follows:

Computer Configuration--> Preferences --> Windows Settings --> Registry

New --> Registry Item

General Tab
Action:  Create
Hive:  HKEY_CURRENT_USER
Key Path: Software\Microsoft\office\11.0\excel\security\filevalidation\
Value Name:  EnableOnLoad
Value Type:  REG_DWORD
Value Data: 00000000
Base:  Hexadecimal

Unfortunately, we are not getting the key.  Any thoughts?

See attached print screen for settings.
Registry-GPO.JPG
0
Comment
Question by:LenCepeda
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39771880
I think the key is for users and the GPO need to be place in User configuration preferences and applied on OU containing users
Since these preferences are run in security context of system account, it should work even if user is standard user.

and for windows XP, you must 1st deploy CSE on windows XP to support GP preferences
http://www.microsoft.com/en-in/download/details.aspx?id=3628

Lastly try to change mode from create to update so if key is not there it will be created and from next time it will just check that value 1st and if found it will just skip that

Mahesh
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 39771886
Try using the Update method for the preference instead of Create. Sometimes that works better for some reason. Also make sure that any windows XP machines have the necessary updates to use GPO preferences. If you have the latest service pack on them, they should have the updates, but I have seen some XP machines still fail to pick up Preference settings without having the client side extensions explicitly installed on them. It's available here: http://www.microsoft.com/en-us/download/details.aspx?id=3628

You may also need to have two preferences for it to work. One to create the Security folder and another to create the Key that is a child of that folder.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39771899
Is the policy even making it to the client machine? Use rsop.msc, right click>Computer Config>select properties.

On the general tab it will show all of the policies that are being applied to the machine. If you are using Group Policy Preferences and applying this to Windows XP or 2003 you will need to have the GPP windows patch (client side extensions) in order to get the policy.

If the machines are Windows 7 then it should be fine from that perspective.

Also check the event viewer to get additional detail if the policy is being applied to the machine from rsop but it failing to load.


Will.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 10

Accepted Solution

by:
djcanter earned 2000 total points
ID: 39771902
alternatiely,you can also use a logon script for the ou to import a .reg file containing your changes.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 39771916
Actually, on checking it looks like mahesh is correct. This registry modification is supposed to go to the HKEY_CURRENT_USER registry hive, which can only be appropriately modified by using a User Configuration profile setting. You can get this to work properly on an OU of computers by enabling group policy loopback processing and setting the GPO to modify the registry preference under User Configuration instead of computer configuration. http://support.microsoft.com/kb/231287 has info on loopback processing.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39772012
Since this is non conflicting setting and GP preference can be set in Update mode,
hence Loopback mode is not required.
Enabling loop back mode settings will unnecessarily change other users GPO settings if any.

Mahesh
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 39772097
Entering the preference in the User Configuration section will cause the preference to be ignored when the users log in to the *computers* that need this setting. Note that this is a problem impacting computers in a specific site and not users. If the OP wishes to apply the setting only to those computers, then GP Loopback is necessary. If he just wishes to apply it to the users that log in to those computers, he can link the policy to the user account. As it stands, his current GPO is linked to an OU of computers, not an OU of users.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39772287
You are right, GPO need to be applied on OU containing Computers and loop back processing will be required since registry key is for logged on users but for specific computers only.

Mahesh
0
 

Author Closing Comment

by:LenCepeda
ID: 39804229
Thank you all for your help.  I had a hard time getting the GPO to work when I applied it to the computers container.  Rather, I took djcanter's advice and imported a .reg file using a GPO that was linked to users container instead of computers.  It looks like all users received the update.

Unfortunately, we did start to receive reports that users' home directories were not mapping properly.  Basically mapping looks like this
\\Fileserver\ShareHidden$ instead of \\Fileserver\ShareHidden$\Users\User_Name...
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question