none
Windows registry changes does not reflect on the Group Policy.

    Question

  • It's been noticed that many Group Policy configuration are not reflecting when its corresponding windows registry is modified. I will state an example to have a better clarity.

    Example:

    Set the following Group Policy (gpedit.msc) UI path to "Disabled"
    Computer Configuration\Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Turn off Microsoft Peer-to-Peer Networking Services

    This group policy setting is backed by the following windows registry location (regedit):
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet:Disabled

    Now edit the windows registry by setting the policy "Peernet" to "Enabled". Close the Group Policy and open again (gpedit.msc). Once you traverse to the GP UI path, you will notice that the changes updated in the windows registry are NOT Reflected.

    Question is why does the changes made from the windows registry NOT getting updated in its corresponding Group Policy.


    Wednesday, September 21, 2016 9:11 AM

Answers

  • Account policies are under security policies and refreshed by default every 16 hours.
    Wednesday, September 21, 2016 1:49 PM
  • > Computer Configuration\Policies\Windows Settings\Security Settings\Local
    > Policies\Security Options\Network security: Allow LocalSystem NULL
    > session fallback
     
    If you edit administrative templates, these are written to
    "registry.pol". Upon policy application, registry.pol is deciphered and
    all values are written to the registry.
     
    Security settings in local GPOs have no "backing" file like
    registry.pol. They are written directly to the registry.
     
    Security settings in domain based GPOs _do_ have a backing file
    gpttmpl.inf - all settings are written to this file, and upon policy
    application, the file is "applied".
     
    Wednesday, September 21, 2016 3:58 PM

All replies

  • Group policy engine does one-way processing: settings defined in GPO are applied to registry, file system, etc., overwriting whatever values that you set locally. There is no point in reflecting local values back to policy definition because the whole purpose of group policies is to make sure that settings are configured identically on a set of computers according to the policy defined centrally by the administrator.


    Gleb.

    Wednesday, September 21, 2016 10:06 AM
  • > Group policy engine does one-way processing: settings defined in GPO are
    > applied to registry, file system, etc.,
     
    And as always, there's ONE exception: Account policies in the Default
    Domain Policy. If you change the related attributes in the domain head
    NC directly, these changes will go _back_ to the DDP :-))
     
    Wednesday, September 21, 2016 10:52 AM
  • Thanks Gleb.
    I came up with this query as I was able to make changes in windows registry and the same was reflected in its corresponding Group Policy for few cases.
    Note that this group policy I am modifying locally to a particular machine rather than changing it from the Active Directory.

    Example:
    Set the following Group Policy (gpedit.msc) UI path to "Disabled"
    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback

    This group policy setting is backed by the following windows registry location (regedit):
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0:allownullsessionfallback

    Now edit the windows registry by setting the policy "allownullsessionfallback" to "Enabled".
    Close the Group Policy and open again (gpedit.msc). Once you traverse to the GP UI path, you will notice that the changes updated in the windows registry are Getting Reflected properly.

    - Saju91

    Wednesday, September 21, 2016 12:16 PM
  • Account policies are under security policies and refreshed by default every 16 hours.
    Wednesday, September 21, 2016 1:49 PM
  • > Computer Configuration\Policies\Windows Settings\Security Settings\Local
    > Policies\Security Options\Network security: Allow LocalSystem NULL
    > session fallback
     
    If you edit administrative templates, these are written to
    "registry.pol". Upon policy application, registry.pol is deciphered and
    all values are written to the registry.
     
    Security settings in local GPOs have no "backing" file like
    registry.pol. They are written directly to the registry.
     
    Security settings in domain based GPOs _do_ have a backing file
    gpttmpl.inf - all settings are written to this file, and upon policy
    application, the file is "applied".
     
    Wednesday, September 21, 2016 3:58 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 28, 2016 8:37 AM
    Moderator