Apply Registry or ADM to Group Policy for Login to Specific Servers

active-directorygroup-policywindows-registrywindows-server-2008

I have some Windows 2008 Server terminal services servers that run a shared app. Unfortunately, to operate correctly the app has some HKEY_CURRENT_USER settings that need written to each user's registry when they log in. These settings will change over time so I don't want to edit C:\Users\Default\NTUser.dat; I want them applied via Active Directory.

I have identified the appropriate entries and exported them as a registry file and additionally converted them to an ADM. I'd like to configure some portion of Active Directory Group Policy to load either the .REG or the ADM as a login script (for all users) to ONLY these servers (the servers are in their own OU).

How can I do that? I've created a policy in the OU but are otherwise stumped; I tried to load the ADM into GPO Management Editor but it doesn't seem to do anything…

Perhaps it's some combination of "Active Setup" (Best way to add HKCU keys and values for all existing users and all new users?) and Loopback Processing (http://support.microsoft.com/kb/231287) but my knowledge of GPO is very limited.

Best Answer

You're saying that you have user settings that you want to apply to users only when they logon to certain computers? Sounds difficult, eh? It's not difficult at all. It sounds like a job for loopback group policy processing!

Assume the following:

 [Domain] mydomain.com.org.net.local
  |
  |--[OU] Special Computers
  |   |
  |   |-- [Computer] COMPUTER 1
  |   |
  |   |-- [Computer] COMPUTER 2
  |   ...
  |
  |--[OU] User Accounts
      |
      |--[User] Bob
      |
      |--[User] Alice
      ...

You would like to apply a user setting (such as running a logon script, or applying other types of GPO user settings) for all users who logon to computers in the "Special Computers" OU. When they logon to computers located in other OUs, though, you do not want these special settings to apply.

Create and link a GPO to the "Special Computers" OU. Specify in that GPO all the user-related settings you want to apply.

("But wait, Evan! The user's account objects aren't in the 'Special Computers' OU!" Yes. I know that. Stay w/ me here. Most AD admins I've met don't understand loopback policy processing and get scared. I've seen horrible hacks like creating secondary user accounts for users to logon with when using "special computers", etc... >shudder<)

In the GPO you created, go into the COMPUTER "Administrative Templates", "System", "Group Policy", and locate the setting "User Group Policy loopback processing mode". Enable this setting. In the "Mode" box, choose "Replace" if you want all the user's "normal" group policy settings to be ignored and only the user policy settings in this new GPO to apply. Choose "Merge" if you want the user settings in the GPO to apply after all their normal user settings have applied.

My opinion is that this is a lot cleaner than "hacks" involving "If computer == blah" in logon scripts.

My advice to you would be to do what you're doing with a Group Policy Preference (GPP)registry settings, rather than with a logon script. It will apply one time, leaving default settings in the users' registry, but the user will be able to change the settings freely in the future without having them "smashed" each time they logon.

If these are Windows Server 2008 machines, like your tag says, then there's really no excuse not to use GPP registry settings. Have a look at the articles below for some more details. This is a really nice feature of W2K8, and something you should be taking advantage of.

http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en

http://blogs.technet.com/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx

Related Solutions

Editing local group policy for all domain computers

It is possible your domain function level needs to be raised to the 2008 level(Windows 7 and 2008 are the same windows version) for that functionality to work. I have personally seen settings not work until the domain functional level was raised.

You can type rsop.msc on the actual machine to see what the resultant group policy is after all the policies are applied.

One thing to try is to install RSAT on a Windows 7 machine or use Server 2008\2012. Log on the machine with your Domain Admin credentials and edit the group policy. It may give you additional functionality that will make the option work.

Another option would be to reset the local group policy settings to their default values with the following command:

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

You could potentially create a batch file to deploy that command using group policy.

Are any loop back processing group policy settings enabled? That will effect how things are applied

How to remove a GPO setting that used a custom ADM

I'm not 100% on how you mean you don't have the original ADM file. I'm assuming it means you don't have them on a local or central store that you have access to. Apologies if I've picked it up wrongly!

You should be able to get the ADM files back taking a backup of the GPO looking in the DomainSysVol\GPO\ADM folder of the backup and picking up a copy of the ADM file from there or alternatively they should be on SYSVOL

\\<domain>\SYSVOL\<domain>\Policies\<Unique ID>\ADM

Once you know the registry values that are being set you should be able to remove them using the Get-GPRegistryValue PowerShell cmdlet. Running something like

Remove-GPRegistryValue -Name Test -Key HKCU\Software\Mike\Testing

should do the job of removing the entry. I've just done some testing and running the command above changed the entry set by the ADM file back to "Not Configured" for me.

Best Answer

Related Solutions

Editing local group policy for all domain computers

How to remove a GPO setting that used a custom ADM

Related Topic