We help IT Professionals succeed at work.

Change Group Policy through registry

Stef Merlijn
Stef Merlijn asked
on
3,580 Views
Last Modified: 2016-03-22
Hi,

When I change a Group Policy, changes are stored in the registry.
F.e.: To deny apps from using the camera (for all users)
- Start gpedit.msc
- Navigate to Computer Configuration > Administrative Templates > Windows Components > APP privacy
- Change to "Enabled" and set option to "Force deny"
This will create following two registry-keys
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\[b]{B454C6DA-0F21-452E-BADF-9167068901C8}Machine[/b]\Software\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\[b]{B454C6DA-0F21-452E-BADF-9167068901C8}User[/b] <- no values added here

Open in new window

Portion: {B454C6DA-0F21-452E-BADF-9167068901C8} seems to be a randomly created ID per system or user???
Also another key is created, but this is not shown in Process Monitor:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera

Open in new window

1. What I would like to know is how I can set Group Policy option like the ones in APP Privacy through registry changes only?
2. How to determine the ID that is created (f.e.: {B454C6DA-0F21-452E-BADF-9167068901C8}) as I can't find any info about it on internet.
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Nope. Group policy works because a client-side agent built into the OS processes policies from the nearest domain controller and enforces them. A raw registry change wouldn't have that behavior nor effect.
Stef MerlijnDeveloper

Author

Commented:
Is there any other way to do this?
I would like to make these changes from inside a Delphi application.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Nope
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
But it's not a policy and won't be enforced. A user can simply use whatever GUI to toggle the setting. The purpose od group POLICIES is that they are enforced. You'll often see in various GUIs that "some settings are controlled by your system administrator." That cannot be replicated with a simple registry toggle. To suggest the two are interchangeable is wrong.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
No. Try it out. Restricted users cannot toggle that.
Stef MerlijnDeveloper

Author

Commented:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera
gives the same result for the enduser, but it is not stored as an actual policy. The enduser however can't change it unless he/she has access to the registry or group policy settings.

Is there any way to execute all the changes to the systemthat normally are done when setting a group policy. So maybe not only in the registry but at some other places as well?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
There are no other places. Not all GPOs are regsettings, but almost all. Read the documentation " group policy registry reference".
Matt DaviesSenior Support Engineer
CERTIFIED EXPERT

Commented:
I will second Mc Knife. The group policy is a dynamic registry editor. You can download excel speadsheets from Microsoft that detail which registry key correspond to which group policy setting.

Download from here

https://www.microsoft.com/en-us/download/details.aspx?id=25250
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Stef MerlijnDeveloper

Author

Commented:
@David Johnson, CD, MVP:
This makes sense as when I change the registry HKLM for a certain GPO, the GPO itself doesn't reflect the change when loooking for the GPO in gpedit.msc. I still have to test if it will pickup the changes after a system reboot.
This also makes you wonder why gpedit.msc makes changes for GPO in HKCU and not directly into HKLM.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B454C6DA-0F21-452E-BADF-9167068901C8}Machine\Software\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B454C6DA-0F21-452E-BADF-9167068901C8}User <- no values added here

Open in new window

Therefor I wanted to know how the ID in this key is assigned/created. As it might be that gpedit.msc uses HKCU keys to retrieve the current GPO setting, whereas Windows uses HKLM to actually set the option. So the two seem to be related, but how?

For info: Great online search for GPO's can be found here
http://gpsearch.azurewebsites.net/
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Sorry, what are you trying to do? These IDs don't matter at all. They are used by the group policy client portion to "name" and distinguish the policies. Set the registry values and you are good to go. Nothing to worry about.
Stef MerlijnDeveloper

Author

Commented:
These ID's seem to be randomly created, so I would like to know how.
When I disable the GPO setting (with gpedit.msc) and create the key manually in registry, than when I enabled the GPO in gpedit.msc a different ID is used in the key for the same setting.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Stef MerlijnDeveloper

Author

Commented:
"The Registry changes don't reflect in gpedit, that's normal."
Where else are settings stored?

Setting GPO-settings in registry will result in a system that has all kinds of settings that can't be viewed via gpedit.msc. This makes it impossible to maintain by an administrator.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
So you really like to do reverse engineering? My stars.
You should better use domain GPOs, that's what they are for.
If not possible, use a central (based on a server share) start- and logon script to do the regmerging. There, you can work with comments.
Mike TLeading Engineer
CERTIFIED EXPERT

Commented:
Hi,

I think you need to step back and forgot GPOs for a bit. Just find the key that blocks the camera and change it manually. Then ask yourself, is that enough?

Then try creating a script to flip that registry key. If that works, great. That is just to prove that there is no "hocus-pocus" random GUIDs.

Now create a fresh GPO and apply the change with that. It will behave the same.
Several experts have already told you over and over that that's how it works, just go with it.

If you *still* don't trust it, use the script instead.

Mike
Stef MerlijnDeveloper

Author

Commented:
Thank you all for the help.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.