Deploying a Reg Key to HKLM on all Machines

[Guest]

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.server.active_directory (More info?)

Hi,

What technique could I use to deploy a Reg key called 'MyCompany' to all
computers in a specific OU? I also want to control the permission set on
this key to only allow specific Security Groups to have full control.

I'm currently running an AD environment on a Windows 2000, SP3 Server, all
my workstations are Windows 2000 Professional systems running SP3.

Regards,
The Poster.

 

[Guest]

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.server.active_directory (More info?)

the only way to do is through a script (.net/vbscript) that you can define in
the gpo and place it on top of the OU structure. you can define this script
with the logon script to run after the comp is up. you can also define the
permissions part in the script to include explicit permissions for the
certain group. Other than that look for some third party tools that can do
this (try winternals etc).

jSx

"The Poster" wrote:

> Hi,
>
> What technique could I use to deploy a Reg key called 'MyCompany' to all
> computers in a specific OU? I also want to control the permission set on
> this key to only allow specific Security Groups to have full control.
>
> I'm currently running an AD environment on a Windows 2000, SP3 Server, all
> my workstations are Windows 2000 Professional systems running SP3.
>
> Regards,
> The Poster.
>
>
>

 

[Guest]

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.server.active_directory (More info?)

The Poster wrote:

> Hi,
>
> What technique could I use to deploy a Reg key called 'MyCompany' to all
> computers in a specific OU? I also want to control the permission set on
> this key to only allow specific Security Groups to have full control.
>
> I'm currently running an AD environment on a Windows 2000, SP3 Server, all
> my workstations are Windows 2000 Professional systems running SP3.
Hi,

You can use "pure" Group Policy to push out your own registry
settings (see further down).


But I think would have done it in computer startup script (set with a
GPO).

Computer startup script runs as part of the boot up process
(before the user logs in) and it runs under the system context
and has administrator rights.


SubInACL.exe can be used to set the permissions, a new, bug-fixed
version of SubInACL.exe is available for download here
(Win2k/WinXP/Win2k3):

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b


Then there is a free 3rd party utility that you can use for this:

SETACL (freeware) at
http://setacl.sourceforge.net/

SetACL can set permissions on:

Local or remote directories
Local or remote files
Local or remote printers
Local or remote registry keys
Local or remote Win32 services
Local or remote network shares


Alternatively:

You can push out that registry value with a GPO using a
custom administrative template ("tattooing" the registry on
the clients)...

HOW TO: Create Custom Administrative Templates in Windows 2000
http://support.microsoft.com/?kbid=323639

225087 Writing Custom ADM Files for System Policy Editor
http://support.microsoft.com/?kbid=225087

Implementing Registry-Based Group Policy
go.microsoft.com/fwlink/?LinkId=28188

Implementing Registry-based Policy [Group Policy]
http://msdn.microsoft.com/library/en-us/policy/policy/implementing_registry_based_policy.asp



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx