You're saying that you have user settings that you want to apply to users only when they logon to certain computers? Sounds difficult, eh? It's not difficult at all. It sounds like a job for loopback group policy processing!
Assume the following:
[Domain] mydomain.com.org.net.local
|
|--[OU] Special Computers
| |
| |-- [Computer] COMPUTER 1
| |
| |-- [Computer] COMPUTER 2
| ...
|
|--[OU] User Accounts
|
|--[User] Bob
|
|--[User] Alice
...
You would like to apply a user setting (such as running a logon script, or applying other types of GPO user settings) for all users who logon to computers in the "Special Computers" OU. When they logon to computers located in other OUs, though, you do not want these special settings to apply.
Create and link a GPO to the "Special Computers" OU. Specify in that GPO all the user-related settings you want to apply.
("But wait, Evan! The user's account objects aren't in the 'Special Computers' OU!" Yes. I know that. Stay w/ me here. Most AD admins I've met don't understand loopback policy processing and get scared. I've seen horrible hacks like creating secondary user accounts for users to logon with when using "special computers", etc... >shudder<)
In the GPO you created, go into the COMPUTER "Administrative Templates", "System", "Group Policy", and locate the setting "User Group Policy loopback processing mode". Enable this setting. In the "Mode" box, choose "Replace" if you want all the user's "normal" group policy settings to be ignored and only the user policy settings in this new GPO to apply. Choose "Merge" if you want the user settings in the GPO to apply after all their normal user settings have applied.
My opinion is that this is a lot cleaner than "hacks" involving "If computer == blah" in logon scripts.
My advice to you would be to do what you're doing with a Group Policy Preference (GPP)registry settings, rather than with a logon script. It will apply one time, leaving default settings in the users' registry, but the user will be able to change the settings freely in the future without having them "smashed" each time they logon.
If these are Windows Server 2008 machines, like your tag says, then there's really no excuse not to use GPP registry settings. Have a look at the articles below for some more details. This is a really nice feature of W2K8, and something you should be taking advantage of.
http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en
http://blogs.technet.com/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx
Best Answer
In 64-bit Windows, there exists what are called file system and registry redirection. These exist for compatibility with older applications that were written for 32-bit Windows and for applications designed for older versions of Windows. WoW64 hooks all system calls made by 32-bit processes, such that if my 32-bit application running on a 64-bit version of Windows calls C:\Windows\System32, WoW64 will transparently redirect it to C:\Windows\SysWoW64, etc.. The C:\Windows\Sysnative virtual directory points you to the native version (the 64-bit version) of the directory, regardless of the bitness of the thread referencing that file system path.
A similar mechanism exists for the registry, which is what the WoW6432Node key is all about. Technically I would call these 32-bit and 64-bit views of the registry if I wanted to be concise... Or pedantic.
I wrote some code (in C#) not too long ago for accessing a key in the native (64-bit) portion of the hive from within a 32-bit process. Here's an abridged snippet:
Of course you still need to read a value from the key once you've opened it, or create a new value, then remember to close the key once you're finished, but that would get you started if you cared to write any code.
But since you are talking about spawning a 32-bit process from another 32-bit process, so that child process can access the native view of the registry, on a 64-bit platform... you're dealing with a combination of both file system redirection and registry redirection both getting in your way. And to top all that off, regedit.exe is a bit of a special utility in this regard.
TL;DR: Give
C:\Windows\sysnative\regedt32.exe
a try instead ofregedit.exe
.https://stackoverflow.com/questions/12233396/open-64-bit-regedit-from-32-bit-application