Avatar of Stef Merlijn
Stef MerlijnFlag for Netherlands asked on

Change Group Policy through registry

Hi,

When I change a Group Policy, changes are stored in the registry.
F.e.: To deny apps from using the camera (for all users)
- Start gpedit.msc
- Navigate to Computer Configuration > Administrative Templates > Windows Components > APP privacy
- Change to "Enabled" and set option to "Force deny"
This will create following two registry-keys
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\[b]{B454C6DA-0F21-452E-BADF-9167068901C8}Machine[/b]\Software\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\[b]{B454C6DA-0F21-452E-BADF-9167068901C8}User[/b] <- no values added here

Open in new window

Portion: {B454C6DA-0F21-452E-BADF-9167068901C8} seems to be a randomly created ID per system or user???
Also another key is created, but this is not shown in Process Monitor:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera

Open in new window

1. What I would like to know is how I can set Group Policy option like the ones in APP Privacy through registry changes only?
2. How to determine the ID that is created (f.e.: {B454C6DA-0F21-452E-BADF-9167068901C8}) as I can't find any info about it on internet.
Windows 10Windows OS

Avatar of undefined
Last Comment
Stef Merlijn

8/22/2022 - Mon
Cliff Galiher

Nope. Group policy works because a client-side agent built into the OS processes policies from the nearest domain controller and enforces them. A raw registry change wouldn't have that behavior nor effect.
ASKER
Stef Merlijn

Is there any other way to do this?
I would like to make these changes from inside a Delphi application.
Cliff Galiher

Nope
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
SOLUTION
McKnife

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Cliff Galiher

But it's not a policy and won't be enforced. A user can simply use whatever GUI to toggle the setting. The purpose od group POLICIES is that they are enforced. You'll often see in various GUIs that "some settings are controlled by your system administrator." That cannot be replicated with a simple registry toggle. To suggest the two are interchangeable is wrong.
McKnife

No. Try it out. Restricted users cannot toggle that.
ASKER
Stef Merlijn

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera
gives the same result for the enduser, but it is not stored as an actual policy. The enduser however can't change it unless he/she has access to the registry or group policy settings.

Is there any way to execute all the changes to the systemthat normally are done when setting a group policy. So maybe not only in the registry but at some other places as well?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
McKnife

There are no other places. Not all GPOs are regsettings, but almost all. Read the documentation " group policy registry reference".
Matt Davies

I will second Mc Knife. The group policy is a dynamic registry editor. You can download excel speadsheets from Microsoft that detail which registry key correspond to which group policy setting.

Download from here

https://www.microsoft.com/en-us/download/details.aspx?id=25250
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Stef Merlijn

@David Johnson, CD, MVP:
This makes sense as when I change the registry HKLM for a certain GPO, the GPO itself doesn't reflect the change when loooking for the GPO in gpedit.msc. I still have to test if it will pickup the changes after a system reboot.
This also makes you wonder why gpedit.msc makes changes for GPO in HKCU and not directly into HKLM.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B454C6DA-0F21-452E-BADF-9167068901C8}Machine\Software\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B454C6DA-0F21-452E-BADF-9167068901C8}User <- no values added here

Open in new window

Therefor I wanted to know how the ID in this key is assigned/created. As it might be that gpedit.msc uses HKCU keys to retrieve the current GPO setting, whereas Windows uses HKLM to actually set the option. So the two seem to be related, but how?

For info: Great online search for GPO's can be found here
http://gpsearch.azurewebsites.net/
Your help has saved me hundreds of hours of internet surfing.
fblack61
McKnife

Sorry, what are you trying to do? These IDs don't matter at all. They are used by the group policy client portion to "name" and distinguish the policies. Set the registry values and you are good to go. Nothing to worry about.
ASKER
Stef Merlijn

These ID's seem to be randomly created, so I would like to know how.
When I disable the GPO setting (with gpedit.msc) and create the key manually in registry, than when I enabled the GPO in gpedit.msc a different ID is used in the key for the same setting.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Stef Merlijn

"The Registry changes don't reflect in gpedit, that's normal."
Where else are settings stored?

Setting GPO-settings in registry will result in a system that has all kinds of settings that can't be viewed via gpedit.msc. This makes it impossible to maintain by an administrator.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
McKnife

So you really like to do reverse engineering? My stars.
You should better use domain GPOs, that's what they are for.
If not possible, use a central (based on a server share) start- and logon script to do the regmerging. There, you can work with comments.
Mike T

Hi,

I think you need to step back and forgot GPOs for a bit. Just find the key that blocks the camera and change it manually. Then ask yourself, is that enough?

Then try creating a script to flip that registry key. If that works, great. That is just to prove that there is no "hocus-pocus" random GUIDs.

Now create a fresh GPO and apply the change with that. It will behave the same.
Several experts have already told you over and over that that's how it works, just go with it.

If you *still* don't trust it, use the script instead.

Mike
ASKER
Stef Merlijn

Thank you all for the help.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy