Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Creating custom ADMX file to propogate GPO setting to member servers

Posted on 2014-11-17
3
Medium Priority
?
526 Views
Last Modified: 2014-11-21
I am working on a windows hardening project and need to implement a few gpo settings that are not available by default on my windows 2008 r2 servers.

Per Microsoft's instructions, I am able to navigate to the sceregvl.infl file and add the lines in bold below for them to show up in the group policy manager. Below is just one of the settings I also intend to add. Additionally I need to add a "NoIPRouting" base gpo setting that is also not available.

Open and edit the c:\windows\inf\Sceregvl.inf file by using Notepad.
Copy the following text which should all be in one line:
MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\nodefaultadminowner,3,"System objects: Default owner for objects created by members of the Administrators group",3,0|Administrators group,1|Object Creator
Paste the text just after the following line in the file:
(MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy,4,%SCENoAp plyLegacyAuditPolicy%,0)



https://support.microsoft.com/kb/947721?wa=wsignin1.0

--

Any how, I see how Microsoft's instructions are suited for adding this a single server. How can I go about populating this on 500 Windows servers without having to go around each one of them?

many thx

t
0
Comment
Question by:tobe1424
3 Comments
 
LVL 26

Assisted Solution

by:Lionel MM
Lionel MM earned 664 total points
ID: 40449821
Well there are a few ways that may work 1) Create a custom ADMX and add new registry items (CREATE--this link shows an example of how this is done http://support2.microsoft.com/kb/938118) and only apply that ADMX to the servers in question or
2) create a script to add the registry item as described here http://www.robvanderwoude.com/regedit.php

You could run the resulting script server by server or I would recommend using a script to automate a scheduled task on each server. I would also recommend that you make a backup of each server's registry before adding this change. let me know which approach you prefer so I can provide more info where needed. Good luck.
0
 
LVL 15

Assisted Solution

by:joharder
joharder earned 668 total points
ID: 40449854
It's far easier to use Group Policy Preferences than to create ADMX files.   When customizations are required, just use the registry item.

In your case, use the Computer node, i.e., Computer\Preferences\Windows\Registry.
0
 
LVL 43

Accepted Solution

by:
Adam Brown earned 668 total points
ID: 40450674
What you're actually dealing with isn't an ADMX file, but is instead a Security Template. The INF file maintains the registry settings and possible values for the Security Options node in the Local Policy Editor. To deploy this to multiple computers, you would perform the same steps, but do so on a Domain Controller rather than a Member Server. Once you do that, the new options will show up in the Security Options node in the Group Policy Editor MMC. Note, though, that you may need to make this change on all Domain Controllers you want to use to set these Security Options for GPOs.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question