I am trying to create a user log off script by adding a registry entry under HKCU\Software\Microsoft\Windows\CyrrentVersion\GroupPolicy\Scripts\Logoff.
After I install the msi I built, the registry keys are set properly. Once the installation ends, the system is rebooting and I see that the keys are deleted.
What could be going wrong ?
That key is owned by group policy. Anything you change there will be changed back by group policy on the next refresh. You shouldn't store anything in the Group Policies manually or via your program to the registry. If you add the key VIA group policy, it will stay.
Related
With PowerShell, by updating corresponding registry keys we can able to toggle the local GPO status to "Enabled" or "Disabled", but I have a specific requirement to make sure that certain local GPOs are set to "Not configured". Tried deleting corresponding registry keys but it didn't help.
Is there any way to achieve this in PowerShell?
If I run Local Group Policy Editor (gpedit.msc) as Administrator and set the Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny write access policy to Enabled or Disabled, according to Process Monitor that is actually setting the Deny_Write value at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{GUIDGUID-GUID-GUID-GUID-GUIDGUIDGUID}Machine\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
If I modify, delete, or rename that Deny_Write value as Administrator then I see the change reflected in Local Group Policy Editor when I edit/reopen that policy. I'm not exactly certain how it is that a machine policy is being set under a user's registry; perhaps there's a symbolic link or loaded hive at play. Process Monitor indicates that C:\Windows\System32\GroupPolicy\Machine\Registry.pol is also modified at the time I set the policy, so that must be the underlying storage for Group Policy-based registry changes.
I would to modify (enable and set value) of a Machine Group Policy with PowerShell. I understood this kind of Policy is based on Registry. That's why I tried to add my value with Set-ItemPropertycommand.
The new value is correctly set in registry but gpedit doesn't see it.
I tried to use GroupPolicy commands but I don't see how address the Local Group Policy because I don't reach to get a correct GUID.
The key I want to chang is this one: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
I think I miss something but I don't know what. An Idea ?
Thanks
The answer you are looking for can be found at https://superuser.com/questions/1192405/why-gpedit-and-the-corresponding-registry-entries-are-not-synchronized
Quoted from Wes
Since the changes you make in the group policy editor affect what you see in the registry, it's perfectly logical to assume that the reverse is also true. However, it doesn't work that way.
Local group policy settings (which is what I believe you are referring to in your post) are stored in registry.pol files located in C:\Windows\system32\GroupPolicy. These files overwrite the corresponding keys in the registry every time the system performs a group policy refresh. The editor never actually reads the registry to see what settings it contains.
A group policy refresh is triggered whenever one of the following events occurs:
At a regularly scheduled refresh interval (every 90 minutes by default)
A user logon or logoff event (user policy only)
A computer reboot (computer policy only)
A manually triggered refresh via gpupdate
A policy refresh command issued by an admin from the domain controller (if the computer is domain-joined).
It's important to remember that if the computer is domain-joined, domain policies will be applied after the local group policy files are processed (meaning that some settings may get overwritten by domain policy). You will not be able to see domain policies in the local group policy editor.
i have a MSI installation package that is installed as SYSTEM User and adds an active setup entry to the registry. This setup makes sure when a new user(new = that has not executed this setup until now) is logging on msiexec adds all missing registry entries.
In the MSIEXEC i need to do a net use to mount the users home directory. This cannot be done as system user and needs to be done in the user context.
However i seem to be completely unable to detect that the setup is currently running on the user context. Thats why i thought it would be nice to give additional parameters to the StubPath in the active setup entry. I tried NETUSE=1. This however did nothing. The setup just ignored this parameter and uses the parameter given during installation. So NETUSE stays 0.
Any ideas what kind of condition i could use for my custom net-use action?
Why is an MSI mounting a users home directory? I would write a small utility to do all this work and just have the MSI put it in the Run registry key. Install once per machine as System and then when the user logs in the utility gets called and does whatever per-user work you need to have done.
If the installer legitimately needs to populate per user registry data then that is fine to continue the active setup pattern.
You can try to use your own custom action configured to run only when the LogonUser property is different tan SYSTEM.
I am somewhat new to Registry Keys in Windows. What I want to do is add a registry key ONCE that will take effect on the local SYSTEM user (for as long as my program is installed). This registry key will need to be added through a batch file while logged on as a regular user (not the SYSTEM user). What I am doing exactly is running a batch script that creates a windows service. This service is running as the local system user. The service is trying to do something that requires a registry key to be set. I tried manually setting the registry key in HKEY_LOCAL_MACHINE but I am still hitting the roadblock when my service is run. Is this the correct place to change registry keys so that the local system account will see them? Any knowledge on the subject would be greatly appreciated!
Some of my windows registry permissions have been changed.It denies access to services like SQL Server. What is the issue here and how can it be resolved? Moreover I am able to login only in safe mode.
You can change permissions using regedit.exe. Try clicking on a registry key and choosing the "Permissions" option. On my computer the permissions are set in the following way:
the System group and the Administrators group - full control
the Restricted group - read
the Everyone group - read (on branches like HKEY_LOCAL_MACHINE)