none
Registry GPO not creating all values

    Question

  • Hi all,

    I am having trouble getting a GPO to create a new registry key that has 3 values on a Windows 7 x64 client.  It's under Computer Configuration>Preferences>Windows Settings>Registry.  I've tried using registry items and the registry wizard.  Both end up creating only the first value and not the other two values.

    What I want to do is under HKLM\SOFTWARE\Microsoft\Rpc, create a key named “Internet”, and then give the Internet key 3 values, for example: “One” REG_MULTI_SZ 100-200, “Two” REG_SZ Y, “Three” REG_SZ Y.

    Whether I use Create or Update, or I’ve even tried using the registry wizard to import the existing key structure on a computer, when I try it on a test computer and do a gpupdate /force to get the new policy, it only creates the “Internet” key and the first value “One” REG_MULTI_SZ 100-200; but not the other two values of “Two” and “Three”.

    How can I get a GPO to create a registry key with multiple values?

    Thanks,

    Tom.

     Here's the GPO and below is the result of what the client gets.  Notice it created only "One" but did not create "Two" or "Three".




    • Edited by thromada Wednesday, November 18, 2015 7:38 PM
    Wednesday, November 18, 2015 5:41 PM

Answers

  • Hi Tom,

    How can I get a GPO to create a registry key with multiple values?

    >>>Here is a similar thread for your reference.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/b3067080-9662-4159-a800-9811aa3ae618/how-can-create-registry-value-with-gpo-or-script?forum=winserverDS

    is there a way through a GPO to change the permissions on registry keys?  Or will it take a script using something like regini.exe, and run that via a GPO?

    >>>To change the permission on registry keys by GP, please perform these actions below.

    1. Right-click group policy, click edit.
    2. In the console tree, right-click Registry, select Add key

    Computer configuration\policies\windows setting\security setting\registry

    1. Select Rpc Under  HKLM\SOFTWARE\Microsoft\Rpc, click OK
    2. In the security tab, delegate permission for specific user or group.
    3. Click Ok, and then click Close

    For more details information, please refer to the article below.

    Apply or modify permission entries for objects using Group Policy

    https://technet.microsoft.com/en-us/library/cc756952(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 20, 2015 9:10 AM
    Moderator
  • >  1. Right-click group policy, click *edit*.
    >  2. In the console tree, right-click *Registry*, select *Add key*
    >
    > *Computer configuration\policies\windows setting\security setting\registry*
     
    Unfortunately, this will only work if SYSTEM already has full access...
    So in this specific case, it will NOT help. You need to write a little
    batch leveraging setacl
    to first take ownership of the key and then change permissions.
     
    Friday, November 20, 2015 11:21 AM
  • It was indeed a permissions issue on the parent key to which I was trying to create a subkey and values.  Rather than trying to alter the permissions on this one registry key on all my endpoints, I ended up using SCCM 2012 to run a package of a CMD file with "regedit.exe /s mergefile.reg".  For my environment, this was a viable alternative.  Thanks all for your assistance.
    Tuesday, December 1, 2015 3:14 PM

All replies

  • > How can I get a GPO to create a registry key with multiple values?
     
    Hm - usually exactly the way you did...
     
    To verify: Can you swap order and put the REG_MULTI_SZ on position 3? In
    addition, GPP Registry debug logging might come in helpful:
     
    BTW: I assume there's nothing special configured on the "common" tab of
    these 3 items?
     
    Thursday, November 19, 2015 11:11 AM
  • Martin, thanks for your assistance.  I reordered the values and put the REG_MULTI_SZ last in position 3 so that "Two" is to be applied first, "Three" applied second, and "One" (the REG_MULTI_SZ) applied third.  The result was it again created only the first value "Two".  It created it correctly, a REG_SZ with a data of "Y", but it stopped there and didn't create the other values.

    The Common tab is empty on all three values, no settings whatsoever.

    I am currently checking into registry key permissions.  I have found on our Win7 computers that the "Rpc" key has perms of SYSTEM=Read, Administrators=Read and Special, and Users=Read.  I gave SYSTEM and Administrators Full Control and tried the GPO again, and the key/values were created successfully.

    So, is there a way through a GPO to change the permissions on registry keys?  Or will it take a script using something like regini.exe, and run that via a GPO?

    Thursday, November 19, 2015 5:00 PM
  • Hi Tom,

    How can I get a GPO to create a registry key with multiple values?

    >>>Here is a similar thread for your reference.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/b3067080-9662-4159-a800-9811aa3ae618/how-can-create-registry-value-with-gpo-or-script?forum=winserverDS

    is there a way through a GPO to change the permissions on registry keys?  Or will it take a script using something like regini.exe, and run that via a GPO?

    >>>To change the permission on registry keys by GP, please perform these actions below.

    1. Right-click group policy, click edit.
    2. In the console tree, right-click Registry, select Add key

    Computer configuration\policies\windows setting\security setting\registry

    1. Select Rpc Under  HKLM\SOFTWARE\Microsoft\Rpc, click OK
    2. In the security tab, delegate permission for specific user or group.
    3. Click Ok, and then click Close

    For more details information, please refer to the article below.

    Apply or modify permission entries for objects using Group Policy

    https://technet.microsoft.com/en-us/library/cc756952(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 20, 2015 9:10 AM
    Moderator
  • >  1. Right-click group policy, click *edit*.
    >  2. In the console tree, right-click *Registry*, select *Add key*
    >
    > *Computer configuration\policies\windows setting\security setting\registry*
     
    Unfortunately, this will only work if SYSTEM already has full access...
    So in this specific case, it will NOT help. You need to write a little
    batch leveraging setacl
    to first take ownership of the key and then change permissions.
     
    Friday, November 20, 2015 11:21 AM
  • It was indeed a permissions issue on the parent key to which I was trying to create a subkey and values.  Rather than trying to alter the permissions on this one registry key on all my endpoints, I ended up using SCCM 2012 to run a package of a CMD file with "regedit.exe /s mergefile.reg".  For my environment, this was a viable alternative.  Thanks all for your assistance.
    Tuesday, December 1, 2015 3:14 PM