none
I want to programmatically manage registry based gpo settings.

    Question

  • I want to programmatically manage registry based gpo settings.

    Which of the following is the best and convenient way of doing it?

    1) Using IGroupPolicyObject interface

    2) Group policy cmdlets like (Set-GPRegistryValue, Get-GPRegistryValue)

    3) Edit Registry.pol file programmatically

    Saturday, January 02, 2016 3:14 PM

Answers

  • > If a registry based policy setting is modifying more than one registry
    > key and each one is different data type, say one is integer and another
    > is string. *How do i know the corresponding registry data type (like
    > REG_DWORD)*?
     
    The data type is part of registry.pol.
     
    > When retrieving registry based settings from gpos using "*RegEnumValue*"
    > function, one of the argument will be filled with the type of data a
    > value has. Similarly when setting a registry based setting to the gpo
    > (using *RegSetValueEx*), i should mention the type of data i am trying
    > to set.
     
    That's the downside. If you are dealing with low level elements, it's up
    to you to know that.
     
    > *Is there any documentation available for this mapping or does ADMX file
    > explicitly mentioned this? I searched ADMX syntax technet also for this
    > mapping, but didnt find. Kindly guide me.
     
    The data type is defined in ADM(x) - numeric -> REG_DWORD, (expandable)
    text -> REG_(EXPAND_)SZ, multi text -> REG_MULTI_SZ.
     
    • Marked as answer by Routine User Saturday, January 09, 2016 3:14 PM
    Thursday, January 07, 2016 2:15 PM

All replies

  • Hi,
     
    It really depends on your needs and preference, all of them can be used to create and modify a GPO directly without using the Group Policy Object Editor.
     
    If you're modifying domain-based GPOs, it's better to just use the *-GPRegistryValue cmdlets, which will handle updating the GPO's version number for you. That module does not support modification of local GPOs.
     
    For local GPOs, you can read and modify the Registry.pol files programmatically. This script should be helpful:
     
    https://gallery.technet.microsoft.com/scriptcenter/Read-or-modify-Registrypol-447677e7
     
    Hope this helps.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, January 04, 2016 5:52 AM
    Moderator
  • Hi Ethan Hua, thanks for your reply. I am working with domain based GPOs using IGroupPolicyObject interface.

    I have a doubt:
    If a registry based policy setting is modifying more than one registry key and each one is different data type, say one is integer and another is string. How do i know the corresponding registry data type (like REG_DWORD)?

    When retrieving registry based settings from gpos using "RegEnumValue" function, one of the argument will be filled with the type of data a value has. Similarly when setting a registry based setting to the gpo (using RegSetValueEx), i should mention the type of data i am trying to set.

    So all i wanted is a perfect mapping to the registry based settings' data type that should be passed in c++.

    eg: all decimal type values should be passed to c++ as REG_DWORD (is this correct?). Similarly for string, what is the registry data type and for list of strings?
    Is there any documentation available for this mapping or does ADMX file explicitly mentioned this? I searched ADMX syntax technet also for this mapping, but didnt find. Kindly guide me.
    Better if you could provide that mapping.

    Wednesday, January 06, 2016 4:45 PM
  • > If a registry based policy setting is modifying more than one registry
    > key and each one is different data type, say one is integer and another
    > is string. *How do i know the corresponding registry data type (like
    > REG_DWORD)*?
     
    The data type is part of registry.pol.
     
    > When retrieving registry based settings from gpos using "*RegEnumValue*"
    > function, one of the argument will be filled with the type of data a
    > value has. Similarly when setting a registry based setting to the gpo
    > (using *RegSetValueEx*), i should mention the type of data i am trying
    > to set.
     
    That's the downside. If you are dealing with low level elements, it's up
    to you to know that.
     
    > *Is there any documentation available for this mapping or does ADMX file
    > explicitly mentioned this? I searched ADMX syntax technet also for this
    > mapping, but didnt find. Kindly guide me.
     
    The data type is defined in ADM(x) - numeric -> REG_DWORD, (expandable)
    text -> REG_(EXPAND_)SZ, multi text -> REG_MULTI_SZ.
     
    • Marked as answer by Routine User Saturday, January 09, 2016 3:14 PM
    Thursday, January 07, 2016 2:15 PM
  • Thank you Martin Binder. I have asked a doubt regarding RegGetValue Method. If possible, just check that question: https://social.technet.microsoft.com/Forums/en-US/e4a40109-28db-4dec-8a33-e2ddf51b6e0a/reggetvalue-method-clarification

    Thank you.
    Saturday, January 09, 2016 3:14 PM