How do I add/edit a registry key using group policy?

G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

We have a situation with regards to Acive Directory where our large
number of groups is stopping various tasks with various errors such as
'cannot complete task out of storage space'. Things like adding a domain
group or user to a workstation get this error for example.

Its been tracked down to the following registry key where ive added the
DWord 'MaxTokenSize' and a value of 100000 whereas the default is 12000.
This has solved the problems on machines it has been applied to so we
want to distribute this to all across the domain.

The "MaxPacketSize" dword already existed, its only the "MaxTokenSize" I
want to affect ... if it already exists to edit it to 100000 or create
it and set it at 100000 if it doesnt exist.

How/Can I do this with group policy?

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001
"MaxTokenSize"=dword:00100000
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

jas0n wrote:
> We have a situation with regards to Acive Directory where our large
> number of groups is stopping various tasks with various errors such as
> 'cannot complete task out of storage space'. Things like adding a domain
> group or user to a workstation get this error for example.
>
> Its been tracked down to the following registry key where ive added the
> DWord 'MaxTokenSize' and a value of 100000 whereas the default is 12000.
> This has solved the problems on machines it has been applied to so we
> want to distribute this to all across the domain.
>
> The "MaxPacketSize" dword already existed, its only the "MaxTokenSize" I
> want to affect ... if it already exists to edit it to 100000 or create
> it and set it at 100000 if it doesnt exist.
>
> How/Can I do this with group policy?
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
>
> "MaxPacketSize"=dword:00000001
> "MaxTokenSize"=dword:00100000

Looking around a StartUp script seems to be one way of doing it, so do I
put the following into a MaxTokenSize.reg file:-

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]


"MaxTokenSize"=dword:00100000

.... and then call it from a StartUp script? Whats the syntax for calling
a reg file, I saw one mention of:-

regedit -s \\server\scripts\maxtokensize.reg

is this right?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Why not just export the correct settings (as you probably done at the end of
your post) and then use the reg command to import it?
You can do this in a script that you then distribute via a GPO.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


"jas0n" <no@email.here> wrote in message
news:4219c9dc$0$38044$bed64819@news.gradwell.net...
> We have a situation with regards to Acive Directory where our large number
> of groups is stopping various tasks with various errors such as 'cannot
> complete task out of storage space'. Things like adding a domain group or
> user to a workstation get this error for example.
>
> Its been tracked down to the following registry key where ive added the
> DWord 'MaxTokenSize' and a value of 100000 whereas the default is 12000.
> This has solved the problems on machines it has been applied to so we want
> to distribute this to all across the domain.
>
> The "MaxPacketSize" dword already existed, its only the "MaxTokenSize" I
> want to affect ... if it already exists to edit it to 100000 or create it
> and set it at 100000 if it doesnt exist.
>
> How/Can I do this with group policy?
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
> "MaxPacketSize"=dword:00000001
> "MaxTokenSize"=dword:00100000
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Jimmy Andersson [MVP] wrote:
> Why not just export the correct settings (as you probably done at the end of
> your post) and then use the reg command to import it?
> You can do this in a script that you then distribute via a GPO.
>
> Regards,
> /Jimmy

yes, I exported it that way ....

a startup script seems the way as it runs with high enough security to
change the HKLM, whereas a logon script wouldnt.

would I use the command:-

reg import \\server\files\regchange.reg

if thats it, what is the startup script saved as? ive never used them,
are they .wsh files or can it just be a .bat or .cmd ?

how could I add a command so it only actions it if the key doesnt exist?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Regedit /s, you can also use the reg command. reg /? for info.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


"jas0n" <no@email.here> wrote in message
news:4219d26e$0$38040$bed64819@news.gradwell.net...
> jas0n wrote:
>> We have a situation with regards to Acive Directory where our large
>> number of groups is stopping various tasks with various errors such as
>> 'cannot complete task out of storage space'. Things like adding a domain
>> group or user to a workstation get this error for example.
>>
>> Its been tracked down to the following registry key where ive added the
>> DWord 'MaxTokenSize' and a value of 100000 whereas the default is 12000.
>> This has solved the problems on machines it has been applied to so we
>> want to distribute this to all across the domain.
>>
>> The "MaxPacketSize" dword already existed, its only the "MaxTokenSize" I
>> want to affect ... if it already exists to edit it to 100000 or create it
>> and set it at 100000 if it doesnt exist.
>>
>> How/Can I do this with group policy?
>>
>> Windows Registry Editor Version 5.00
>>
>> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
>> "MaxPacketSize"=dword:00000001
>> "MaxTokenSize"=dword:00100000
>
> Looking around a StartUp script seems to be one way of doing it, so do I
> put the following into a MaxTokenSize.reg file:-
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
>
> "MaxTokenSize"=dword:00100000
>
> ... and then call it from a StartUp script? Whats the syntax for calling a
> reg file, I saw one mention of:-
>
> regedit -s \\server\scripts\maxtokensize.reg
>
> is this right?
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

You can use .bat or .cmd if you want.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


"jas0n" <no@email.here> wrote in message
news:4219dc9d$0$38044$bed64819@news.gradwell.net...
> Jimmy Andersson [MVP] wrote:
>> Why not just export the correct settings (as you probably done at the end
>> of your post) and then use the reg command to import it?
>> You can do this in a script that you then distribute via a GPO.
>>
>> Regards,
>> /Jimmy
>
> yes, I exported it that way ....
>
> a startup script seems the way as it runs with high enough security to
> change the HKLM, whereas a logon script wouldnt.
>
> would I use the command:-
>
> reg import \\server\files\regchange.reg
>
> if thats it, what is the startup script saved as? ive never used them, are
> they .wsh files or can it just be a .bat or .cmd ?
>
> how could I add a command so it only actions it if the key doesnt exist?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

you can create a GPO containing the key and send it down to all pcs on the
domain.
Click edit on a policy and goto computer configuration - windows settings -
security settings and right click registry. you can then add the registry
key from your current pc.
then send this down to a test OU and if that works the domain.




"Jimmy Andersson [MVP]" wrote:

> You can use .bat or .cmd if you want.
>
> Regards,
> /Jimmy
> --
> Jimmy Andersson, Q Advice AB
> Microsoft MVP - Directory Services
> ---------- www.qadvice.com ----------
>
>
> "jas0n" <no@email.here> wrote in message
> news:4219dc9d$0$38044$bed64819@news.gradwell.net...
> > Jimmy Andersson [MVP] wrote:
> >> Why not just export the correct settings (as you probably done at the end
> >> of your post) and then use the reg command to import it?
> >> You can do this in a script that you then distribute via a GPO.
> >>
> >> Regards,
> >> /Jimmy
> >
> > yes, I exported it that way ....
> >
> > a startup script seems the way as it runs with high enough security to
> > change the HKLM, whereas a logon script wouldnt.
> >
> > would I use the command:-
> >
> > reg import \\server\files\regchange.reg
> >
> > if thats it, what is the startup script saved as? ive never used them, are
> > they .wsh files or can it just be a .bat or .cmd ?
> >
> > how could I add a command so it only actions it if the key doesnt exist?
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Stephen Lawlor" wrote:
> you can create a GPO containing the key and send it down to
> all pcs on the
> domain.
> Click edit on a policy and goto computer configuration -
> windows settings -
> security settings and right click registry. you can then add
> the registry
> key from your current pc.
> then send this down to a test OU and if that works the
> domain.
>
>
>
>
> "Jimmy Andersson [MVP]" wrote:
>
> > You can use .bat or .cmd if you want.
> >
> > Regards,
> > /Jimmy
> > --
> > Jimmy Andersson, Q Advice AB
> > Microsoft MVP - Directory Services
> > ---------- www.qadvice.com ----------
> >
> >
> > "jas0n" <no@email.here> wrote in message
> > news:4219dc9d$0$38044$bed64819@news.gradwell.net...
>  > > Jimmy Andersson [MVP] wrote:
>   > >> Why not just export the correct settings (as
> you probably done at the end
>   > >> of your post) and then use the reg command to
> import it?
>   > >> You can do this in a script that you then
> distribute via a GPO.
>   > >>
>   > >> Regards,
>   > >> /Jimmy
>  > >
>  > > yes, I exported it that way ....
>  > >
>  > > a startup script seems the way as it runs with high
> enough security to
>  > > change the HKLM, whereas a logon script wouldnt.
>  > >
>  > > would I use the command:-
>  > >
>  > > reg import \serverfilesregchange.reg
>  > >
>  > > if thats it, what is the startup script saved as?
> ive never used them, are
>  > > they .wsh files or can it just be a .bat or .cmd ?
>  > >
>  > > how could I add a command so it only actions it if
> the key doesnt exist?
> >
> >
> >

Hi,

Just to add another to the mix, you can do it as a VBScript Startup
Script. I do it all the time to edit my machine registries. Then
schedule restarts with shutdown.exe command. Test first as I don’t
usually use the DWORD and may have the settings off.

Dim Path
Path =
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerbero
s\Parameters\"
set ws = WScript.CreateObject("WScript.Shell")
o=ws.RegWrite(Path & "MaxPacketSize", "00000001", "REG_DWORD")
v=ws.RegRead(Path & "MaxPacketSize")
Set WSHShell = nothing

Path =
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerbero
s\Parameters\"
set ws = WScript.CreateObject("WScript.Shell")
o=ws.RegWrite(Path & "MaxTokenSize", "00100000", "REG_DWORD")
v=ws.RegRead(Path & "MaxTokenSize")
Set WSHShell = nothing

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-add-edit-registry-key-ftopict267962.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=844276
 

Jordan

Distinguished
Apr 7, 2004
406
0
18,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

If the users are not Admins will they be able to run the login script for
items under HKLM??

This is probably best set via machine group policies.


"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:421bb1c8$1_2@alt.athenanews.com...
> "Stephen Lawlor" wrote:
> > you can create a GPO containing the key and send it down to
> > all pcs on the
> > domain.
> > Click edit on a policy and goto computer configuration -
> > windows settings -
> > security settings and right click registry. you can then add
> > the registry
> > key from your current pc.
> > then send this down to a test OU and if that works the
> > domain.
> >
> >
> >
> >
> > "Jimmy Andersson [MVP]" wrote:
> >
> > > You can use .bat or .cmd if you want.
> > >
> > > Regards,
> > > /Jimmy
> > > --
> > > Jimmy Andersson, Q Advice AB
> > > Microsoft MVP - Directory Services
> > > ---------- www.qadvice.com ----------
> > >
> > >
> > > "jas0n" <no@email.here> wrote in message
> > > news:4219dc9d$0$38044$bed64819@news.gradwell.net...
> >  > > Jimmy Andersson [MVP] wrote:
> >   > >> Why not just export the correct settings (as
> > you probably done at the end
> >   > >> of your post) and then use the reg command to
> > import it?
> >   > >> You can do this in a script that you then
> > distribute via a GPO.
> >   > >>
> >   > >> Regards,
> >   > >> /Jimmy
> >  > >
> >  > > yes, I exported it that way ....
> >  > >
> >  > > a startup script seems the way as it runs with high
> > enough security to
> >  > > change the HKLM, whereas a logon script wouldnt.
> >  > >
> >  > > would I use the command:-
> >  > >
> >  > > reg import \serverfilesregchange.reg
> >  > >
> >  > > if thats it, what is the startup script saved as?
> > ive never used them, are
> >  > > they .wsh files or can it just be a .bat or .cmd ?
> >  > >
> >  > > how could I add a command so it only actions it if
> > the key doesnt exist?
> > >
> > >
> > >
>
> Hi,
>
> Just to add another to the mix, you can do it as a VBScript Startup
> Script. I do it all the time to edit my machine registries. Then
> schedule restarts with shutdown.exe command. Test first as I don't
> usually use the DWORD and may have the settings off.
>
> Dim Path
> Path =
> "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerbero
> s\Parameters\"
> set ws = WScript.CreateObject("WScript.Shell")
> o=ws.RegWrite(Path & "MaxPacketSize", "00000001", "REG_DWORD")
> v=ws.RegRead(Path & "MaxPacketSize")
> Set WSHShell = nothing
>
> Path =
> "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerbero
> s\Parameters\"
> set ws = WScript.CreateObject("WScript.Shell")
> o=ws.RegWrite(Path & "MaxTokenSize", "00100000", "REG_DWORD")
> v=ws.RegRead(Path & "MaxTokenSize")
> Set WSHShell = nothing
>
> Cheers,
>
> Lara
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Group-Policy-add-edit-registry-key-ftopict267962.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=844276
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

In article <015BF7B3-BEDF-485C-B5A6-87D68E2F5CAD@microsoft.com>,
StephenLawlor@discussions.microsoft.com says...
> you can create a GPO containing the key and send it down to all pcs on the
> domain.
> Click edit on a policy and goto computer configuration - windows settings -
> security settings and right click registry. you can then add the registry
> key from your current pc.
> then send this down to a test OU and if that works the domain.
>
>
>

I tested this as it would be the ideal way for me but it does not appear
to create the key ...

i created a policy on my test domain on an ou, done as you said ... on
checking the test workstation i confirmed it had received the policy
with gpresult but it didnt create the key

it said security settings had been received via this method - i take it
this only allow security settings and not to create a key?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

>If the users are not Admins will they be able to run the login script
>for items under HKLM??

I do it in STARTUP scripts, no logon scripts. Therefore all the
permissions needed are SYSTEM=Full Control which is the standard
default permission as startup scripts run under the machine account
not the user account.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-add-edit-registry-key-ftopict267962.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=856330