You can use Group Policy Preferences (GPP) to centrally manage registry keys, parameters, and their values on domain computers in Active Directory. This article shows how to use Group Policy to add, modify, import, and delete registry items on domain-joined computers.
Table of Contents
How to Add/Modify Registry Keys and Values with GPO
In this example, we are going to change the value of the SearchOrderConfig registry parameter under the \SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching registry key.
You can modify this registry entry through Computer or and User Configurations GPO section. You will need to apply the settings via the computer or user configuration GPP, depending on the target registry hive (HKEY_LOCAL_MACHINE / HKEY_CURRENT_USER).
There are three options for selecting the registry key:
- Registry Wizard — allows to use a local remote computer as a reference with the built-in GPP registry browser;
- Collection Item — creates and organizes registry items into a folder. This is useful if you need to add a group of registry parameters;
- Registry Item — allows you to manually change a single registry key, parameter name, or value.
Let’s try to use the GPO Registry Wizard to set a registry parameter value:
- Open the Group Policy Management Editor console (gpmc.msc);
- Create a new (or edit an existing) GPO, and link it to the appropriate Active Directory OU. Then right-click GPO and select Edit;
- Expand the following GPO section: Computer (or User) Configuration > Preferences > Windows Settings > Registry. Select New > Registry Wizard;
- Registry Wizard allows you browsing the registry on a local computer. You can also connect to the registry on the remote computer, and select the existing registry key and parameter;
- Specify the remote computer name (or IP address). Use the Registry Browser tree to locate and select an existing registry key/parameter;
- In this example, we want to add only one registry item REG_DWORD parameter named SearchOrderConfig;
- This parameter with its full reg path and value will be imported into the GPO editor console. You can change its value and the action. To set a specific registry parameter value, use the Update option (see below);
- After the next GPO update cycle, this registry value will be applied to all computers or users in the target OU. You can manually update GPO settings on the client device using the gpupdate /force command.
You can also manually enter the full registry key path and parameter name:
- Select New > Registry Item;
- Enter the hive name (HKLM, HKCU, etc), key path, value name, type, and data;
Important. The following registry hive names can be used:
- HKEY_CLASSES_ROOT (HKEY_LOCAL_MACHINE\Software\Classes);
- HKEY_CURRENT_CONFIG (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current);
- HKEY_LOCAL_MACHINE;
- HKEY_CURRENT_USER (HKEY_USERS\.Default will be used if you’ll set HKCU registry key using Computer Configuration Policy);
- HKEY_USERS — affects individual user profiles.
- Select the GPP action:
There are 4 types of operation with the registry items:
- Create — creates a registry parameter. If the parameter already exists, the value won’t change;
- Update (default) — If the parameter already exists, its value will be updated to the value you’ve specified in the GPP. If not, a parameter with the specified value will be created;
- Replace — if the registry item already exists, it will delete and recreate the registry item (rarely used). If the reg key or value does not exist, a new registry entry will be created. If the target item is a registry key, this option will remove all parameters and subkeys, leaving only a default value name with no data. If the target item is a registry value, the Replace action will overwrite any existing value;
- Delete — removes a registry key and all its values and subkeys.
There are many useful options on the Common tab:
- Run in logged-on user’s security context — allow to create registry parameter with the current user permissions. If the user doesn’t have local admin permissions, the policy will only apply to the HKEY_CURRENT_USER hive (but not to the HKEY_LOCAL_MACHINE);
- Remove this item when it is no longer applied — if you unlink GPO from the AD container, the changed registry item reverts to its original state;
- Apply once and do not reapply — apply the policy for each computer only once;
- Item-level targeting — can be used to set the registry value at a granular level (according to computer settings, AD group membership, Active Directory site, time range, etc).
The final report with the registry settings in the GPMC console looks like this:
Remove the Registry Entry with the Group Policy
You can also use GP Preferences to remove a specific registry key or entry on domain computers.
For example, you may want to delete a certain parameter under the registry key HKEY_CURRENT_USER.
- Create a new registry GPP entry in User Configuration > Preferences > Windows Settings > Registry;
- Use the Registry Browser to select a parameter or key;
- Expand the registry key in the GPO console. Open the parameter properties, and change the Action to Delete;
- Save the changes;
- The specified parameter will be removed from the user’s registry hive.
You can create many registry settings that you want to apply in a single GPO. If two GPP items change the same registry setting, the item with the higher precedence order will be applied last. You can change the order of the registry items using the up and down buttons at the top of the GPO editor console.
To access the registry of a remote computer using Registry Browse, the Remote Registry service should be running on that computer. Otherwise, you will receive the ‘Network Path not found’ error. You can manually start the service on a computer using the services.msc console.
You can also use PowerShell to remotely check the service status and enable it:
$remoteservice=get-service RemoteRegistry -ComputerName PC2212ba $remoteservice| Set-Service -StartupType Manual $remoteservice| start-service
How to Install a Reg File on Domain Computers with GPO
You can also use the GPO to deploy a REG file containing a large number of registry settings to computers. In this case, you can use the GPO startup script to import the REG file instead of manually creating individual registry settings in the GPP Editor.
- Export the registry key on the reference computer to a REG file. Open the registry editor (regedit.exe), right-click on the registry key, and select Export. Specify the name of the file you want to save the registry key;
- You can edit REG file manually using any text editor. Remove empty registry keys, edit parameter values (if necessary), and add new keys or parameters;
To delete a registry key using a REG file, put a hyphen (–) in front of the registry path. For example:
[-HKEY_LOCAL_MACHINE\Software\App1]
- Go to the GPMC console, create a new GPO, and link it to the OU with computers (if you want to apply the parameters from the HKLM registry hive);
- Go to Computer Configuration > Windows Settings > Scripts > Logon;
- Click the Add button to add a new Startup script;
- Click on the Browse button and copy your REG file into this directory (\\domain-name\Sysvol\domain-name\Policies\…);
- Specify the following logon script options:
Script Name: regedit.exe
Script Parameters: /s your_reg_file.reg
This command imports the REG file into the registry on each target computer at startup.
- Save changes to the policy;
- The registry settings from your REG file will be applied to the target computers after the reboot.
Setting Registry Key Permissions with Group Policy
You can also use Group Policy to assign permissions (ACLs) to registry keys. This feature may be useful if you want to grant a user permission to system-protected registry keys, or if you want to prevent non-administrator users from modifying some registry keys.
- Open the GPO;
- Expand Computer Configuration > Windows Settings > Security Settings > Registry;
- Right-click and select Add key;
- Use the built-in Registry Browser to select the local registry key to which you want to apply an ACL. If you want to set permissions for a registry key that is missing on the current computer, install the GPMC snap-in and edit the GPO from the computer which has that key;
- The Database Security dialog will open. Here you can change the ACL for this registry key. For example, grant the Full Control (Read + Write + Change) permissions to the registry key for the caWKSPowerUsers Active Directory group. By default, this ACL is not inherited to nested subkeys. Click Advanced > Enable Inheritance to enable permission inheritance;
- Save the changes. In the Template Security Policy Settings dialog window, you can force ACL to apply to all subkeys of the target key (Propagate inheritable permissions to all subkeys) or force new ACL only on subkeys that inherit from the target key (Replace existing permissions on all subkeys with inheritable permission). Or, you can enable the “Do not allow permissions on this key to be replaced” option to prevent ACL editing on this registry entry;
- Close the GPO editor window and wait for the new permissions to be applied to computers.
7 comments
bypass
I have a question on the update registry settings. If the registry setting on the local machine is a reg_sz and has 10 entries separated by a comma and I push via GPO 5 entries that are different than the 10 on the system will it overwrite those 10 leaving only the 5 or will it merge/append those so that it has 15?
I think the instructions are incorrect regarding deleting keys. It is showing how to delete a registry value, not a key.
How do you modify a registry key if is present, but do not take any action if it is not present.
This is a very useful link to modify the registry using GPO. are you able to help me with this scenario?
need to stop a service first and then modify a specific registry value and then start the service.
Under the section “You can also type the full registry key path and a parameter name manually:”
2. In the following fields (Hive, Key path, Value type, Value data) you have to specify the registry hive (HKLM, HKCU, etc.); registry key; parameter name, type, and value;
The screenshot included the path with HKEY_LOCAL_MACHINE. This will create another container under the actual HIVE HKEY_LOCAL_MACHINE i.e. it will look like HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\…
Thanks! The mistake is corrected.