Solved

Creating custom ADMX file to propogate GPO setting to member servers

Posted on 2014-11-17
3
464 Views
Last Modified: 2014-11-21
I am working on a windows hardening project and need to implement a few gpo settings that are not available by default on my windows 2008 r2 servers.

Per Microsoft's instructions, I am able to navigate to the sceregvl.infl file and add the lines in bold below for them to show up in the group policy manager. Below is just one of the settings I also intend to add. Additionally I need to add a "NoIPRouting" base gpo setting that is also not available.

Open and edit the c:\windows\inf\Sceregvl.inf file by using Notepad.
Copy the following text which should all be in one line:
MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\nodefaultadminowner,3,"System objects: Default owner for objects created by members of the Administrators group",3,0|Administrators group,1|Object Creator
Paste the text just after the following line in the file:
(MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy,4,%SCENoAp plyLegacyAuditPolicy%,0)



https://support.microsoft.com/kb/947721?wa=wsignin1.0

--

Any how, I see how Microsoft's instructions are suited for adding this a single server. How can I go about populating this on 500 Windows servers without having to go around each one of them?

many thx

t
0
Comment
Question by:tobe1424
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 25

Assisted Solution

by:Lionel MM
Lionel MM earned 166 total points
ID: 40449821
Well there are a few ways that may work 1) Create a custom ADMX and add new registry items (CREATE--this link shows an example of how this is done http://support2.microsoft.com/kb/938118) and only apply that ADMX to the servers in question or
2) create a script to add the registry item as described here http://www.robvanderwoude.com/regedit.php

You could run the resulting script server by server or I would recommend using a script to automate a scheduled task on each server. I would also recommend that you make a backup of each server's registry before adding this change. let me know which approach you prefer so I can provide more info where needed. Good luck.
0
 
LVL 15

Assisted Solution

by:joharder
joharder earned 167 total points
ID: 40449854
It's far easier to use Group Policy Preferences than to create ADMX files.   When customizations are required, just use the registry item.

In your case, use the Computer node, i.e., Computer\Preferences\Windows\Registry.
0
 
LVL 41

Accepted Solution

by:
Adam Brown earned 167 total points
ID: 40450674
What you're actually dealing with isn't an ADMX file, but is instead a Security Template. The INF file maintains the registry settings and possible values for the Security Options node in the Local Policy Editor. To deploy this to multiple computers, you would perform the same steps, but do so on a Domain Controller rather than a Member Server. Once you do that, the new options will show up in the Security Options node in the Group Policy Editor MMC. Note, though, that you may need to make this change on all Domain Controllers you want to use to set these Security Options for GPOs.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question