How do I add/edit a registry key using group policy?

Archived from groups: microsoft.public.win2000.group_policy (More info?)

We have a situation with regards to Acive Directory where our large
number of groups is stopping various tasks with various errors such as
'cannot complete task out of storage space'. Things like adding a domain
group or user to a workstation get this error for example.

Its been tracked down to the following registry key where ive added the
DWord 'MaxTokenSize' and a value of 100000 whereas the default is 12000.
This has solved the problems on machines it has been applied to so we
want to distribute this to all across the domain.

The "MaxPacketSize" dword already existed, its only the "MaxTokenSize" I
want to affect ... if it already exists to edit it to 100000 or create
it and set it at 100000 if it doesnt exist.

How/Can I do this with group policy?

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001
"MaxTokenSize"=dword:00100000
10 answers Last reply
More about edit registry group policy
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    jas0n wrote:
    > We have a situation with regards to Acive Directory where our large
    > number of groups is stopping various tasks with various errors such as
    > 'cannot complete task out of storage space'. Things like adding a domain
    > group or user to a workstation get this error for example.
    >
    > Its been tracked down to the following registry key where ive added the
    > DWord 'MaxTokenSize' and a value of 100000 whereas the default is 12000.
    > This has solved the problems on machines it has been applied to so we
    > want to distribute this to all across the domain.
    >
    > The "MaxPacketSize" dword already existed, its only the "MaxTokenSize" I
    > want to affect ... if it already exists to edit it to 100000 or create
    > it and set it at 100000 if it doesnt exist.
    >
    > How/Can I do this with group policy?
    >
    > Windows Registry Editor Version 5.00
    >
    > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
    >
    > "MaxPacketSize"=dword:00000001
    > "MaxTokenSize"=dword:00100000

    Looking around a StartUp script seems to be one way of doing it, so do I
    put the following into a MaxTokenSize.reg file:-

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]


    "MaxTokenSize"=dword:00100000

    .... and then call it from a StartUp script? Whats the syntax for calling
    a reg file, I saw one mention of:-

    regedit -s \\server\scripts\maxtokensize.reg

    is this right?
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Why not just export the correct settings (as you probably done at the end of
    your post) and then use the reg command to import it?
    You can do this in a script that you then distribute via a GPO.

    Regards,
    /Jimmy
    --
    Jimmy Andersson, Q Advice AB
    Microsoft MVP - Directory Services
    ---------- www.qadvice.com ----------


    "jas0n" <no@email.here> wrote in message
    news:4219c9dc$0$38044$bed64819@news.gradwell.net...
    > We have a situation with regards to Acive Directory where our large number
    > of groups is stopping various tasks with various errors such as 'cannot
    > complete task out of storage space'. Things like adding a domain group or
    > user to a workstation get this error for example.
    >
    > Its been tracked down to the following registry key where ive added the
    > DWord 'MaxTokenSize' and a value of 100000 whereas the default is 12000.
    > This has solved the problems on machines it has been applied to so we want
    > to distribute this to all across the domain.
    >
    > The "MaxPacketSize" dword already existed, its only the "MaxTokenSize" I
    > want to affect ... if it already exists to edit it to 100000 or create it
    > and set it at 100000 if it doesnt exist.
    >
    > How/Can I do this with group policy?
    >
    > Windows Registry Editor Version 5.00
    >
    > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
    > "MaxPacketSize"=dword:00000001
    > "MaxTokenSize"=dword:00100000
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Jimmy Andersson [MVP] wrote:
    > Why not just export the correct settings (as you probably done at the end of
    > your post) and then use the reg command to import it?
    > You can do this in a script that you then distribute via a GPO.
    >
    > Regards,
    > /Jimmy

    yes, I exported it that way ....

    a startup script seems the way as it runs with high enough security to
    change the HKLM, whereas a logon script wouldnt.

    would I use the command:-

    reg import \\server\files\regchange.reg

    if thats it, what is the startup script saved as? ive never used them,
    are they .wsh files or can it just be a .bat or .cmd ?

    how could I add a command so it only actions it if the key doesnt exist?
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Regedit /s, you can also use the reg command. reg /? for info.

    Regards,
    /Jimmy
    --
    Jimmy Andersson, Q Advice AB
    Microsoft MVP - Directory Services
    ---------- www.qadvice.com ----------


    "jas0n" <no@email.here> wrote in message
    news:4219d26e$0$38040$bed64819@news.gradwell.net...
    > jas0n wrote:
    >> We have a situation with regards to Acive Directory where our large
    >> number of groups is stopping various tasks with various errors such as
    >> 'cannot complete task out of storage space'. Things like adding a domain
    >> group or user to a workstation get this error for example.
    >>
    >> Its been tracked down to the following registry key where ive added the
    >> DWord 'MaxTokenSize' and a value of 100000 whereas the default is 12000.
    >> This has solved the problems on machines it has been applied to so we
    >> want to distribute this to all across the domain.
    >>
    >> The "MaxPacketSize" dword already existed, its only the "MaxTokenSize" I
    >> want to affect ... if it already exists to edit it to 100000 or create it
    >> and set it at 100000 if it doesnt exist.
    >>
    >> How/Can I do this with group policy?
    >>
    >> Windows Registry Editor Version 5.00
    >>
    >> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
    >> "MaxPacketSize"=dword:00000001
    >> "MaxTokenSize"=dword:00100000
    >
    > Looking around a StartUp script seems to be one way of doing it, so do I
    > put the following into a MaxTokenSize.reg file:-
    >
    > Windows Registry Editor Version 5.00
    >
    > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
    >
    > "MaxTokenSize"=dword:00100000
    >
    > ... and then call it from a StartUp script? Whats the syntax for calling a
    > reg file, I saw one mention of:-
    >
    > regedit -s \\server\scripts\maxtokensize.reg
    >
    > is this right?
    >
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    You can use .bat or .cmd if you want.

    Regards,
    /Jimmy
    --
    Jimmy Andersson, Q Advice AB
    Microsoft MVP - Directory Services
    ---------- www.qadvice.com ----------


    "jas0n" <no@email.here> wrote in message
    news:4219dc9d$0$38044$bed64819@news.gradwell.net...
    > Jimmy Andersson [MVP] wrote:
    >> Why not just export the correct settings (as you probably done at the end
    >> of your post) and then use the reg command to import it?
    >> You can do this in a script that you then distribute via a GPO.
    >>
    >> Regards,
    >> /Jimmy
    >
    > yes, I exported it that way ....
    >
    > a startup script seems the way as it runs with high enough security to
    > change the HKLM, whereas a logon script wouldnt.
    >
    > would I use the command:-
    >
    > reg import \\server\files\regchange.reg
    >
    > if thats it, what is the startup script saved as? ive never used them, are
    > they .wsh files or can it just be a .bat or .cmd ?
    >
    > how could I add a command so it only actions it if the key doesnt exist?
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    you can create a GPO containing the key and send it down to all pcs on the
    domain.
    Click edit on a policy and goto computer configuration - windows settings -
    security settings and right click registry. you can then add the registry
    key from your current pc.
    then send this down to a test OU and if that works the domain.


    "Jimmy Andersson [MVP]" wrote:

    > You can use .bat or .cmd if you want.
    >
    > Regards,
    > /Jimmy
    > --
    > Jimmy Andersson, Q Advice AB
    > Microsoft MVP - Directory Services
    > ---------- www.qadvice.com ----------
    >
    >
    > "jas0n" <no@email.here> wrote in message
    > news:4219dc9d$0$38044$bed64819@news.gradwell.net...
    > > Jimmy Andersson [MVP] wrote:
    > >> Why not just export the correct settings (as you probably done at the end
    > >> of your post) and then use the reg command to import it?
    > >> You can do this in a script that you then distribute via a GPO.
    > >>
    > >> Regards,
    > >> /Jimmy
    > >
    > > yes, I exported it that way ....
    > >
    > > a startup script seems the way as it runs with high enough security to
    > > change the HKLM, whereas a logon script wouldnt.
    > >
    > > would I use the command:-
    > >
    > > reg import \\server\files\regchange.reg
    > >
    > > if thats it, what is the startup script saved as? ive never used them, are
    > > they .wsh files or can it just be a .bat or .cmd ?
    > >
    > > how could I add a command so it only actions it if the key doesnt exist?
    >
    >
    >
  7. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    "Stephen Lawlor" wrote:
    > you can create a GPO containing the key and send it down to
    > all pcs on the
    > domain.
    > Click edit on a policy and goto computer configuration -
    > windows settings -
    > security settings and right click registry. you can then add
    > the registry
    > key from your current pc.
    > then send this down to a test OU and if that works the
    > domain.
    >
    >
    >
    >
    > "Jimmy Andersson [MVP]" wrote:
    >
    > > You can use .bat or .cmd if you want.
    > >
    > > Regards,
    > > /Jimmy
    > > --
    > > Jimmy Andersson, Q Advice AB
    > > Microsoft MVP - Directory Services
    > > ---------- www.qadvice.com ----------
    > >
    > >
    > > "jas0n" <no@email.here> wrote in message
    > > news:4219dc9d$0$38044$bed64819@news.gradwell.net...
    >  > > Jimmy Andersson [MVP] wrote:
    >   > >> Why not just export the correct settings (as
    > you probably done at the end
    >   > >> of your post) and then use the reg command to
    > import it?
    >   > >> You can do this in a script that you then
    > distribute via a GPO.
    >   > >>
    >   > >> Regards,
    >   > >> /Jimmy
    >  > >
    >  > > yes, I exported it that way ....
    >  > >
    >  > > a startup script seems the way as it runs with high
    > enough security to
    >  > > change the HKLM, whereas a logon script wouldnt.
    >  > >
    >  > > would I use the command:-
    >  > >
    >  > > reg import \serverfilesregchange.reg
    >  > >
    >  > > if thats it, what is the startup script saved as?
    > ive never used them, are
    >  > > they .wsh files or can it just be a .bat or .cmd ?
    >  > >
    >  > > how could I add a command so it only actions it if
    > the key doesnt exist?
    > >
    > >
    > >

    Hi,

    Just to add another to the mix, you can do it as a VBScript Startup
    Script. I do it all the time to edit my machine registries. Then
    schedule restarts with shutdown.exe command. Test first as I don’t
    usually use the DWORD and may have the settings off.

    Dim Path
    Path =
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerbero
    s\Parameters\"
    set ws = WScript.CreateObject("WScript.Shell")
    o=ws.RegWrite(Path & "MaxPacketSize", "00000001", "REG_DWORD")
    v=ws.RegRead(Path & "MaxPacketSize")
    Set WSHShell = nothing

    Path =
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerbero
    s\Parameters\"
    set ws = WScript.CreateObject("WScript.Shell")
    o=ws.RegWrite(Path & "MaxTokenSize", "00100000", "REG_DWORD")
    v=ws.RegRead(Path & "MaxTokenSize")
    Set WSHShell = nothing

    Cheers,

    Lara

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Group-Policy-add-edit-registry-key-ftopict267962.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=844276
  8. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    If the users are not Admins will they be able to run the login script for
    items under HKLM??

    This is probably best set via machine group policies.


    "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
    news:421bb1c8$1_2@alt.athenanews.com...
    > "Stephen Lawlor" wrote:
    > > you can create a GPO containing the key and send it down to
    > > all pcs on the
    > > domain.
    > > Click edit on a policy and goto computer configuration -
    > > windows settings -
    > > security settings and right click registry. you can then add
    > > the registry
    > > key from your current pc.
    > > then send this down to a test OU and if that works the
    > > domain.
    > >
    > >
    > >
    > >
    > > "Jimmy Andersson [MVP]" wrote:
    > >
    > > > You can use .bat or .cmd if you want.
    > > >
    > > > Regards,
    > > > /Jimmy
    > > > --
    > > > Jimmy Andersson, Q Advice AB
    > > > Microsoft MVP - Directory Services
    > > > ---------- www.qadvice.com ----------
    > > >
    > > >
    > > > "jas0n" <no@email.here> wrote in message
    > > > news:4219dc9d$0$38044$bed64819@news.gradwell.net...
    > >  > > Jimmy Andersson [MVP] wrote:
    > >   > >> Why not just export the correct settings (as
    > > you probably done at the end
    > >   > >> of your post) and then use the reg command to
    > > import it?
    > >   > >> You can do this in a script that you then
    > > distribute via a GPO.
    > >   > >>
    > >   > >> Regards,
    > >   > >> /Jimmy
    > >  > >
    > >  > > yes, I exported it that way ....
    > >  > >
    > >  > > a startup script seems the way as it runs with high
    > > enough security to
    > >  > > change the HKLM, whereas a logon script wouldnt.
    > >  > >
    > >  > > would I use the command:-
    > >  > >
    > >  > > reg import \serverfilesregchange.reg
    > >  > >
    > >  > > if thats it, what is the startup script saved as?
    > > ive never used them, are
    > >  > > they .wsh files or can it just be a .bat or .cmd ?
    > >  > >
    > >  > > how could I add a command so it only actions it if
    > > the key doesnt exist?
    > > >
    > > >
    > > >
    >
    > Hi,
    >
    > Just to add another to the mix, you can do it as a VBScript Startup
    > Script. I do it all the time to edit my machine registries. Then
    > schedule restarts with shutdown.exe command. Test first as I don't
    > usually use the DWORD and may have the settings off.
    >
    > Dim Path
    > Path =
    > "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerbero
    > s\Parameters\"
    > set ws = WScript.CreateObject("WScript.Shell")
    > o=ws.RegWrite(Path & "MaxPacketSize", "00000001", "REG_DWORD")
    > v=ws.RegRead(Path & "MaxPacketSize")
    > Set WSHShell = nothing
    >
    > Path =
    > "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerbero
    > s\Parameters\"
    > set ws = WScript.CreateObject("WScript.Shell")
    > o=ws.RegWrite(Path & "MaxTokenSize", "00100000", "REG_DWORD")
    > v=ws.RegRead(Path & "MaxTokenSize")
    > Set WSHShell = nothing
    >
    > Cheers,
    >
    > Lara
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's
    > request
    > Articles individually checked for conformance to usenet standards
    > Topic URL:
    > http://www.windowsforumz.com/Group-Policy-add-edit-registry-key-ftopict267962.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse:
    > http://www.windowsforumz.com/eform.php?p=844276
  9. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    In article <015BF7B3-BEDF-485C-B5A6-87D68E2F5CAD@microsoft.com>,
    StephenLawlor@discussions.microsoft.com says...
    > you can create a GPO containing the key and send it down to all pcs on the
    > domain.
    > Click edit on a policy and goto computer configuration - windows settings -
    > security settings and right click registry. you can then add the registry
    > key from your current pc.
    > then send this down to a test OU and if that works the domain.
    >
    >
    >

    I tested this as it would be the ideal way for me but it does not appear
    to create the key ...

    i created a policy on my test domain on an ou, done as you said ... on
    checking the test workstation i confirmed it had received the policy
    with gpresult but it didnt create the key

    it said security settings had been received via this method - i take it
    this only allow security settings and not to create a key?
  10. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    >If the users are not Admins will they be able to run the login script
    >for items under HKLM??

    I do it in STARTUP scripts, no logon scripts. Therefore all the
    permissions needed are SYSTEM=Full Control which is the standard
    default permission as startup scripts run under the machine account
    not the user account.

    Cheers,

    Lara

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Group-Policy-add-edit-registry-key-ftopict267962.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=856330
Ask a new question

Read More

Policy Registry Windows