Solved

Creating custom ADMX file to propogate GPO setting to member servers

Posted on 2014-11-17
3
425 Views
Last Modified: 2014-11-21
I am working on a windows hardening project and need to implement a few gpo settings that are not available by default on my windows 2008 r2 servers.

Per Microsoft's instructions, I am able to navigate to the sceregvl.infl file and add the lines in bold below for them to show up in the group policy manager. Below is just one of the settings I also intend to add. Additionally I need to add a "NoIPRouting" base gpo setting that is also not available.

Open and edit the c:\windows\inf\Sceregvl.inf file by using Notepad.
Copy the following text which should all be in one line:
MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\nodefaultadminowner,3,"System objects: Default owner for objects created by members of the Administrators group",3,0|Administrators group,1|Object Creator
Paste the text just after the following line in the file:
(MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy,4,%SCENoAp plyLegacyAuditPolicy%,0)



https://support.microsoft.com/kb/947721?wa=wsignin1.0

--

Any how, I see how Microsoft's instructions are suited for adding this a single server. How can I go about populating this on 500 Windows servers without having to go around each one of them?

many thx

t
0
Comment
Question by:tobe1424
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 25

Assisted Solution

by:Lionel MM
Lionel MM earned 166 total points
ID: 40449821
Well there are a few ways that may work 1) Create a custom ADMX and add new registry items (CREATE--this link shows an example of how this is done http://support2.microsoft.com/kb/938118) and only apply that ADMX to the servers in question or
2) create a script to add the registry item as described here http://www.robvanderwoude.com/regedit.php

You could run the resulting script server by server or I would recommend using a script to automate a scheduled task on each server. I would also recommend that you make a backup of each server's registry before adding this change. let me know which approach you prefer so I can provide more info where needed. Good luck.
0
 
LVL 15

Assisted Solution

by:joharder
joharder earned 167 total points
ID: 40449854
It's far easier to use Group Policy Preferences than to create ADMX files.   When customizations are required, just use the registry item.

In your case, use the Computer node, i.e., Computer\Preferences\Windows\Registry.
0
 
LVL 40

Accepted Solution

by:
Adam Brown earned 167 total points
ID: 40450674
What you're actually dealing with isn't an ADMX file, but is instead a Security Template. The INF file maintains the registry settings and possible values for the Security Options node in the Local Policy Editor. To deploy this to multiple computers, you would perform the same steps, but do so on a Domain Controller rather than a Member Server. Once you do that, the new options will show up in the Security Options node in the Group Policy Editor MMC. Note, though, that you may need to make this change on all Domain Controllers you want to use to set these Security Options for GPOs.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question