Solved

Creating custom ADMX file to propogate GPO setting to member servers

Posted on 2014-11-17
3
388 Views
Last Modified: 2014-11-21
I am working on a windows hardening project and need to implement a few gpo settings that are not available by default on my windows 2008 r2 servers.

Per Microsoft's instructions, I am able to navigate to the sceregvl.infl file and add the lines in bold below for them to show up in the group policy manager. Below is just one of the settings I also intend to add. Additionally I need to add a "NoIPRouting" base gpo setting that is also not available.

Open and edit the c:\windows\inf\Sceregvl.inf file by using Notepad.
Copy the following text which should all be in one line:
MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\nodefaultadminowner,3,"System objects: Default owner for objects created by members of the Administrators group",3,0|Administrators group,1|Object Creator
Paste the text just after the following line in the file:
(MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy,4,%SCENoAp plyLegacyAuditPolicy%,0)



https://support.microsoft.com/kb/947721?wa=wsignin1.0

--

Any how, I see how Microsoft's instructions are suited for adding this a single server. How can I go about populating this on 500 Windows servers without having to go around each one of them?

many thx

t
0
Comment
Question by:tobe1424
3 Comments
 
LVL 24

Assisted Solution

by:Lionel MM
Lionel MM earned 166 total points
ID: 40449821
Well there are a few ways that may work 1) Create a custom ADMX and add new registry items (CREATE--this link shows an example of how this is done http://support2.microsoft.com/kb/938118) and only apply that ADMX to the servers in question or
2) create a script to add the registry item as described here http://www.robvanderwoude.com/regedit.php

You could run the resulting script server by server or I would recommend using a script to automate a scheduled task on each server. I would also recommend that you make a backup of each server's registry before adding this change. let me know which approach you prefer so I can provide more info where needed. Good luck.
0
 
LVL 15

Assisted Solution

by:joharder
joharder earned 167 total points
ID: 40449854
It's far easier to use Group Policy Preferences than to create ADMX files.   When customizations are required, just use the registry item.

In your case, use the Computer node, i.e., Computer\Preferences\Windows\Registry.
0
 
LVL 39

Accepted Solution

by:
Adam Brown earned 167 total points
ID: 40450674
What you're actually dealing with isn't an ADMX file, but is instead a Security Template. The INF file maintains the registry settings and possible values for the Security Options node in the Local Policy Editor. To deploy this to multiple computers, you would perform the same steps, but do so on a Domain Controller rather than a Member Server. Once you do that, the new options will show up in the Security Options node in the Group Policy Editor MMC. Note, though, that you may need to make this change on all Domain Controllers you want to use to set these Security Options for GPOs.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question