Change Group Policy through registry
Hi,
When I change a Group Policy, changes are stored in the registry.
F.e.: To deny apps from using the camera (for all users)
- Start gpedit.msc
- Navigate to Computer Configuration > Administrative Templates > Windows Components > APP privacy
- Change to "Enabled" and set option to "Force deny"
This will create following two registry-keys
Also another key is created, but this is not shown in Process Monitor:
2. How to determine the ID that is created (f.e.: {B454C6DA-0F21-452E-BADF-9
When I change a Group Policy, changes are stored in the registry.
F.e.: To deny apps from using the camera (for all users)
- Start gpedit.msc
- Navigate to Computer Configuration > Administrative Templates > Windows Components > APP privacy
- Change to "Enabled" and set option to "Force deny"
This will create following two registry-keys
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\[b]{B454C6DA-0F21-452E-BADF-9167068901C8}Machine[/b]\Software\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\[b]{B454C6DA-0F21-452E-BADF-9167068901C8}User[/b] <- no values added hereAlso another key is created, but this is not shown in Process Monitor:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera2. How to determine the ID that is created (f.e.: {B454C6DA-0F21-452E-BADF-9
Cliff Galiher
Nope. Group policy works because a client-side agent built into the OS processes policies from the nearest domain controller and enforces them. A raw registry change wouldn't have that behavior nor effect.
ASKER
Is there any other way to do this?
I would like to make these changes from inside a Delphi application.
I would like to make these changes from inside a Delphi application.
Nope
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
But it's not a policy and won't be enforced. A user can simply use whatever GUI to toggle the setting. The purpose od group POLICIES is that they are enforced. You'll often see in various GUIs that "some settings are controlled by your system administrator." That cannot be replicated with a simple registry toggle. To suggest the two are interchangeable is wrong.
No. Try it out. Restricted users cannot toggle that.
ASKER
HKEY_LOCAL_MACHINE\SOFTWAR
gives the same result for the enduser, but it is not stored as an actual policy. The enduser however can't change it unless he/she has access to the registry or group policy settings.
Is there any way to execute all the changes to the systemthat normally are done when setting a group policy. So maybe not only in the registry but at some other places as well?
gives the same result for the enduser, but it is not stored as an actual policy. The enduser however can't change it unless he/she has access to the registry or group policy settings.
Is there any way to execute all the changes to the systemthat normally are done when setting a group policy. So maybe not only in the registry but at some other places as well?
There are no other places. Not all GPOs are regsettings, but almost all. Read the documentation " group policy registry reference".
I will second Mc Knife. The group policy is a dynamic registry editor. You can download excel speadsheets from Microsoft that detail which registry key correspond to which group policy setting.
Download from here
https://www.microsoft.com/
Download from here
https://www.microsoft.com/
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@David Johnson, CD, MVP:
This makes sense as when I change the registry HKLM for a certain GPO, the GPO itself doesn't reflect the change when loooking for the GPO in gpedit.msc. I still have to test if it will pickup the changes after a system reboot.
This also makes you wonder why gpedit.msc makes changes for GPO in HKCU and not directly into HKLM.
For info: Great online search for GPO's can be found here
http://gpsearch.azurewebsites.net/
This makes sense as when I change the registry HKLM for a certain GPO, the GPO itself doesn't reflect the change when loooking for the GPO in gpedit.msc. I still have to test if it will pickup the changes after a system reboot.
This also makes you wonder why gpedit.msc makes changes for GPO in HKCU and not directly into HKLM.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B454C6DA-0F21-452E-BADF-9167068901C8}Machine\Software\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B454C6DA-0F21-452E-BADF-9167068901C8}User <- no values added hereFor info: Great online search for GPO's can be found here
http://gpsearch.azurewebsites.net/
Sorry, what are you trying to do? These IDs don't matter at all. They are used by the group policy client portion to "name" and distinguish the policies. Set the registry values and you are good to go. Nothing to worry about.
ASKER
These ID's seem to be randomly created, so I would like to know how.
When I disable the GPO setting (with gpedit.msc) and create the key manually in registry, than when I enabled the GPO in gpedit.msc a different ID is used in the key for the same setting.
When I disable the GPO setting (with gpedit.msc) and create the key manually in registry, than when I enabled the GPO in gpedit.msc a different ID is used in the key for the same setting.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"The Registry changes don't reflect in gpedit, that's normal."
Where else are settings stored?
Setting GPO-settings in registry will result in a system that has all kinds of settings that can't be viewed via gpedit.msc. This makes it impossible to maintain by an administrator.
Where else are settings stored?
Setting GPO-settings in registry will result in a system that has all kinds of settings that can't be viewed via gpedit.msc. This makes it impossible to maintain by an administrator.
So you really like to do reverse engineering? My stars.
You should better use domain GPOs, that's what they are for.
If not possible, use a central (based on a server share) start- and logon script to do the regmerging. There, you can work with comments.
You should better use domain GPOs, that's what they are for.
If not possible, use a central (based on a server share) start- and logon script to do the regmerging. There, you can work with comments.
Hi,
I think you need to step back and forgot GPOs for a bit. Just find the key that blocks the camera and change it manually. Then ask yourself, is that enough?
Then try creating a script to flip that registry key. If that works, great. That is just to prove that there is no "hocus-pocus" random GUIDs.
Now create a fresh GPO and apply the change with that. It will behave the same.
Several experts have already told you over and over that that's how it works, just go with it.
If you *still* don't trust it, use the script instead.
Mike
I think you need to step back and forgot GPOs for a bit. Just find the key that blocks the camera and change it manually. Then ask yourself, is that enough?
Then try creating a script to flip that registry key. If that works, great. That is just to prove that there is no "hocus-pocus" random GUIDs.
Now create a fresh GPO and apply the change with that. It will behave the same.
Several experts have already told you over and over that that's how it works, just go with it.
If you *still* don't trust it, use the script instead.
Mike
ASKER
Thank you all for the help.