Solved

Creating custom ADMX file to propogate GPO setting to member servers

Posted on 2014-11-17
3
377 Views
Last Modified: 2014-11-21
I am working on a windows hardening project and need to implement a few gpo settings that are not available by default on my windows 2008 r2 servers.

Per Microsoft's instructions, I am able to navigate to the sceregvl.infl file and add the lines in bold below for them to show up in the group policy manager. Below is just one of the settings I also intend to add. Additionally I need to add a "NoIPRouting" base gpo setting that is also not available.

Open and edit the c:\windows\inf\Sceregvl.inf file by using Notepad.
Copy the following text which should all be in one line:
MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\nodefaultadminowner,3,"System objects: Default owner for objects created by members of the Administrators group",3,0|Administrators group,1|Object Creator
Paste the text just after the following line in the file:
(MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy,4,%SCENoAp plyLegacyAuditPolicy%,0)



https://support.microsoft.com/kb/947721?wa=wsignin1.0

--

Any how, I see how Microsoft's instructions are suited for adding this a single server. How can I go about populating this on 500 Windows servers without having to go around each one of them?

many thx

t
0
Comment
Question by:tobe1424
3 Comments
 
LVL 24

Assisted Solution

by:lionelmm
lionelmm earned 166 total points
ID: 40449821
Well there are a few ways that may work 1) Create a custom ADMX and add new registry items (CREATE--this link shows an example of how this is done http://support2.microsoft.com/kb/938118) and only apply that ADMX to the servers in question or
2) create a script to add the registry item as described here http://www.robvanderwoude.com/regedit.php

You could run the resulting script server by server or I would recommend using a script to automate a scheduled task on each server. I would also recommend that you make a backup of each server's registry before adding this change. let me know which approach you prefer so I can provide more info where needed. Good luck.
0
 
LVL 15

Assisted Solution

by:joharder
joharder earned 167 total points
ID: 40449854
It's far easier to use Group Policy Preferences than to create ADMX files.   When customizations are required, just use the registry item.

In your case, use the Computer node, i.e., Computer\Preferences\Windows\Registry.
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 167 total points
ID: 40450674
What you're actually dealing with isn't an ADMX file, but is instead a Security Template. The INF file maintains the registry settings and possible values for the Security Options node in the Local Policy Editor. To deploy this to multiple computers, you would perform the same steps, but do so on a Domain Controller rather than a Member Server. Once you do that, the new options will show up in the Security Options node in the Group Policy Editor MMC. Note, though, that you may need to make this change on all Domain Controllers you want to use to set these Security Options for GPOs.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now