none
Set values to Current User registry to a specific group of computers

    Question

  • Hi there,

    I have a problem that I cant solve...

    I need to deploy a GPO that change values of some keys in the Windows Registry, that are inside of the HKCU tree. But I need to only apply it to a group of computers. So...

    I have created a GPO that acomplish the changes, but when I want to set a security filter for the computer group, the GPO wont work. The GPO is inside the OU where the computers resides, and I set the loopback policy as well.

    I dont want to create a new OU and move the computers inside.

    Can you help me!??

    Regards


    Tuesday, March 15, 2016 6:08 PM

Answers

  • > The GPO should be on the OU where the computers, right?
    >>>>Yes
     
    NO!!! It must be linked to the users' OU.

    >>>>I think enable loopback is necessary.
     
    NO!!! The GPP Registry values MUST be in the user configuration to apply
    to HKCU.

    Hi,

    I believe you are slightly not correct in your understanding of the loopback processing. Loopback processing allows you to use User Configuration section of a GPO which is targeting a computer object. So, what you can do is:

    - Create a GPO that has the User configuration settings that you want (in that case - contains the registry settings you need).

    - Link it to any container level that includes the Computers that you want this GPO to be applied at.

    - Configure security filtering on that GPO by removing "Authenticated Users" and adding the Computer group you mentioned

    - Enable loopback processing in "Merge" mode (so that it does not drop all theuser configuration you have in other GPOs)

    You will achieve the configuration you described.

    Hope that helps.

    Regards.



    Monday, March 28, 2016 7:25 PM

All replies

  • Hi
     
    Am 15.03.2016 um 19:08 schrieb peluzon:
    > I need to deploy a GPO that change values of some keys in the Windows
    > Registry, that are inside of the HKCU tree. But I need to only apply it
    > to a group of computers.
     
    - Create a GPO, Filter it to Auth.Users
    - use GPP Registry, create new Collection, integrate your regsettings
    - use Item Level Targeting on the Collection and filter it to the
    computers group
    Done.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Tuesday, March 15, 2016 6:20 PM
  • Hi Mark, thank for the fast respond.

    I'm following your indications, but still cant get it to work.

    The GPO should be on the OU where the computers, right?

    I must use the loopback setting?

    Tuesday, March 15, 2016 8:19 PM
  • Hi Peluzon,

    The GPO should be on the OU where the computers, right?

    >>>Yes

    I must use the loopback setting?

    >>>I think enable loopback is necessary.

    I'm following your indications, but still cant get it to work.

    >>>To make sure the group policy has been applied, I suggest you run GPresult /h C:\gpresult.html and post it to us.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 16, 2016 9:23 AM
    Moderator
  • > The GPO should be on the OU where the computers, right?
    >>>>Yes
     
    NO!!! It must be linked to the users' OU.
     
    > I must use the loopback setting?
    >>>>I think enable loopback is necessary.
     
    NO!!! The GPP Registry values MUST be in the user configuration to apply
    to HKCU.
     
     
    Wednesday, March 16, 2016 10:18 AM
  • Hi!

    I've configured the GPO with your instruccions, and it works. But I decide to do a doble-check on this, so I went to a computer that is NOT on the group of computers where it should apply to see its behavior. The policy is not applying on this computer, but I cant see it on the rsop as denied or anything. I think thats rare. So I join the computer to the group and restarted the computer. The rsop shows me the exact same thing that when it was out of the group :S

    How can I post the html files?


    • Edited by peluzon Friday, March 18, 2016 5:03 PM
    Friday, March 18, 2016 5:02 PM
  • > policy is not applying on this computer, but I cant see it on the rsop
    > as denied or anything. I think thats rare.
     
    No thats expected. The GPO itself is applied, only your registry
    collection will be skipped due to ILT.
     
    Monday, March 21, 2016 11:04 AM
  • Ok, but what's wrong whit the computers that I'm adding to the security group? Those are not applying the changes...

    I was thinking on deploying a logon script that make the changes on the Registry, but I cant make that the User policy apply only to the computers group

    Monday, March 21, 2016 6:25 PM
  • > Ok, but what's wrong whit the computers that I'm adding to the security
    > group? Those are not applying the changes...
     
    Did you reboot them afterwards?
     
    Tuesday, March 22, 2016 12:16 PM
  • Yes, I rebooted the computers
    Monday, March 28, 2016 2:44 PM
  • > The GPO should be on the OU where the computers, right?
    >>>>Yes
     
    NO!!! It must be linked to the users' OU.

    >>>>I think enable loopback is necessary.
     
    NO!!! The GPP Registry values MUST be in the user configuration to apply
    to HKCU.

    Hi,

    I believe you are slightly not correct in your understanding of the loopback processing. Loopback processing allows you to use User Configuration section of a GPO which is targeting a computer object. So, what you can do is:

    - Create a GPO that has the User configuration settings that you want (in that case - contains the registry settings you need).

    - Link it to any container level that includes the Computers that you want this GPO to be applied at.

    - Configure security filtering on that GPO by removing "Authenticated Users" and adding the Computer group you mentioned

    - Enable loopback processing in "Merge" mode (so that it does not drop all theuser configuration you have in other GPOs)

    You will achieve the configuration you described.

    Hope that helps.

    Regards.



    Monday, March 28, 2016 7:25 PM