Say there is a group policy that prevents the user from using the "run" command in Windows. What would happen if there was a registry key that contradicted this i.e. allowed the user to use the run command?
Would the user be able to use "run" or not?
Thanks a lot for any answer!
Group policy is periodically applied to the registry so if a group policy is set to a certain setting it will change the relevant registry setting to conform to it, so in that sense group policy takes precedence.
However, when the OS checks to see whether the user should be permitted to use the run command it will only check the registry, not group policy so in that sense registry takes precedence.
In practice it means that if you change the registry at any given moment then the registry setting will be honored, until the next group policy update takes place, at which point your registry change will be overwritten to align with group policy. In this regard you can think of group policy as being an automatic mechanism for changing registry settings to the desired value in organisations.
The frequency at which group policy is applied is also configurable but usually it gets applied when you log on to windows and then at scheduled intervals.
Related
With PowerShell, by updating corresponding registry keys we can able to toggle the local GPO status to "Enabled" or "Disabled", but I have a specific requirement to make sure that certain local GPOs are set to "Not configured". Tried deleting corresponding registry keys but it didn't help.
Is there any way to achieve this in PowerShell?
If I run Local Group Policy Editor (gpedit.msc) as Administrator and set the Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny write access policy to Enabled or Disabled, according to Process Monitor that is actually setting the Deny_Write value at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{GUIDGUID-GUID-GUID-GUID-GUIDGUIDGUID}Machine\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
If I modify, delete, or rename that Deny_Write value as Administrator then I see the change reflected in Local Group Policy Editor when I edit/reopen that policy. I'm not exactly certain how it is that a machine policy is being set under a user's registry; perhaps there's a symbolic link or loaded hive at play. Process Monitor indicates that C:\Windows\System32\GroupPolicy\Machine\Registry.pol is also modified at the time I set the policy, so that must be the underlying storage for Group Policy-based registry changes.
I would to modify (enable and set value) of a Machine Group Policy with PowerShell. I understood this kind of Policy is based on Registry. That's why I tried to add my value with Set-ItemPropertycommand.
The new value is correctly set in registry but gpedit doesn't see it.
I tried to use GroupPolicy commands but I don't see how address the Local Group Policy because I don't reach to get a correct GUID.
The key I want to chang is this one: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
I think I miss something but I don't know what. An Idea ?
Thanks
The answer you are looking for can be found at https://superuser.com/questions/1192405/why-gpedit-and-the-corresponding-registry-entries-are-not-synchronized
Quoted from Wes
Since the changes you make in the group policy editor affect what you see in the registry, it's perfectly logical to assume that the reverse is also true. However, it doesn't work that way.
Local group policy settings (which is what I believe you are referring to in your post) are stored in registry.pol files located in C:\Windows\system32\GroupPolicy. These files overwrite the corresponding keys in the registry every time the system performs a group policy refresh. The editor never actually reads the registry to see what settings it contains.
A group policy refresh is triggered whenever one of the following events occurs:
At a regularly scheduled refresh interval (every 90 minutes by default)
A user logon or logoff event (user policy only)
A computer reboot (computer policy only)
A manually triggered refresh via gpupdate
A policy refresh command issued by an admin from the domain controller (if the computer is domain-joined).
It's important to remember that if the computer is domain-joined, domain policies will be applied after the local group policy files are processed (meaning that some settings may get overwritten by domain policy). You will not be able to see domain policies in the local group policy editor.
I am trying to create a user log off script by adding a registry entry under HKCU\Software\Microsoft\Windows\CyrrentVersion\GroupPolicy\Scripts\Logoff.
After I install the msi I built, the registry keys are set properly. Once the installation ends, the system is rebooting and I see that the keys are deleted.
What could be going wrong ?
That key is owned by group policy. Anything you change there will be changed back by group policy on the next refresh. You shouldn't store anything in the Group Policies manually or via your program to the registry. If you add the key VIA group policy, it will stay.
I'm writing an application in Delphi 2010, and I'd like to provide the option to the administrator to configure it via Group Policy. Any recommendations on good ways to make my application GPO aware? Note, I am only looking to create a computer based GPO, not user.
My current solution involves simply first determining if any values have been written to the registry at HKLM\software\policies\MyProgram. If they have, I assume that GPO has been applied and I use this location to read configuration.
If nothing exists at the above registry location, I proceed to reading configuration at the standard location, whether that's an INI file, or another reg key does not matter. At this point, I make the assumption in the program that group policies are not being used.
Would anyone suggest a better way to make this application GPO aware?
It's not that you have to be group policy aware, it's that the group policy has to be aware of the registry keys your program uses.
The purpose of custom Group Policy Templates is to have a user-interface for managing a custom set of registry keys used by a particular program. The domain administrator sets the policy to the desired values, and the policy is pushed out to machines on the domain.
In your case, the custom policy template will define the corresponding HKLM registry keys that your program uses. You can now trust that the values stored in:
HKLM\Software\MickSoftware\My Program 2010
are what the administrator has desired be there.
Note: The following "policy" registry locations are non-persistent:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
HKEY_CURRENT_USER\SOFTWARE\Policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
"This means that when you log off the computer or when you shut down the computer, the policy settings are removed."
So it seems to me you want to store your registry values where you normally store them, e.g.:
HKLM\Software\Avatar Software Creations\HelpDesk\DatabaseServer
ServerName: REG_SZ = "lithium"
UserID: REG_SZ = "helpdesk"
Password: REG_SZ = "aSBsb3ZlIHlvdSBLaXJzdGVuIFNoZWxieSBHdXllcg=="
Is it possible to do at least one of the following:
1) Detect a setting of a Local Security Policy (Accounts: Limit local account use of blank passwords to console logon only)
2) Modify that setting
Using Win32/MFC?
Well, I think I figured out how to do the first part (detecting this setting). It's actually located in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
the key is "LimitBlankPasswordUse", if it's 1 then it's Enabled, otherwise Disabled.
So, reading that will at least show me if I need to tell the user to modify it or not. I doubt I can change it though...
I've been down this road before and ended up with:
http://groups.google.com/group/microsoft.public.platformsdk.security/browse_thread/thread/63d884134958cce7?pli=1
I was able to configure User Rights Assignments using the Lsa* functions in advapi32.dll but could never work out how to configure Security Options.
This may be of help though:
http://www.windowsdevcenter.com/pub/a/windows/2005/03/15/local_security_policies.html
http://support.microsoft.com/default.aspx?scid=214752
You could customise a template then run regsvr32 %windir%\system32\scecli.dll from inside your code.
Not elegant but might be a way.