none
Which keys in registry "Apply Local GPO PACKAGE" changes? RRS feed

  • Question

  • On MDT 2012:

    TASK SEQUENCES:

    APPLY LOCAL GPO PACKAGE

    Which keys in registry are changes?

    can u give me a list?

    Thanks.

    Friday, February 6, 2015 7:32 AM

Answers

  • Please examine the DeploymentShare\Templates folder, since this is the location where the local gpo package resides. There you will find the following:

    Templates\GPOPacks\Win7SP1-MDTGPOPack\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf

    Which reveals what will be modified:

    ;This Security Template provides settings to support the setting recommendations 
    ;in the security guides. Please read the entire contents of the appropriate
    ;security guide before using this template.
    
    ;Copyright (c) 2008 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility.  By using or providing feedback on this documentation, you agree to the license agreement below.
    ;If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
    ;This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS".  Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that user��s particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.  
    ;Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation.  Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property.
    ;Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious.   
    ;Microsoft and the Microsoft product names listed in this data file are trademarks of the Microsoft group of companies; the list of Microsoft trademarks can be found at http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx
    ;The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
    ;You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose.  You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback.  You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.
    
    [Unicode]
    Unicode=yes
    [Version]
    signature=$CHICAGO$
    Revision=1
    [Registry Values]
    MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,537395200
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"2"
    MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
    MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel=4,1
    MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
    MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,1
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature=4,1
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\enableforcedlogoff=4,1
    MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey=4,1
    MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,537395200
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1
    MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
    MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,1
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\disablepasswordchange=4,0
    MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel=4,1
    MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,5
    MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\maximumpasswordage=4,30
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal=4,1
    MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\autodisconnect=4,15
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
    MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
    MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\securitylevel=4,0
    MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy=4,1
    MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\enablesecuritysignature=4,1
    [System Access]
    LSAAnonymousNameLookup=0
    EnableGuestAccount=0
    [Privilege Rights]
    SeChangeNotifyPrivilege=*S-1-5-32-545,*S-1-5-20,*S-1-5-19,*S-1-5-32-544
    SeInteractiveLogonRight=*S-1-5-32-544,*S-1-5-32-545
    SeRemoteShutdownPrivilege=*S-1-5-32-544
    SeEnableDelegationPrivilege=
    SeNetworkLogonRight=*S-1-5-32-545,*S-1-5-32-544
    SeManageVolumePrivilege=*S-1-5-32-544
    SeDenyBatchLogonRight=*S-1-5-32-546
    SeCreatePagefilePrivilege=*S-1-5-32-544
    SeTcbPrivilege=
    SeAuditPrivilege=*S-1-5-19,*S-1-5-20
    SeDenyNetworkLogonRight=*S-1-5-32-546
    SeDenyInteractiveLogonRight=*S-1-5-32-546
    SeSecurityPrivilege=*S-1-5-32-544
    SeDebugPrivilege=*S-1-5-32-544
    

    Cheers! Rens


    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Friday, February 6, 2015 9:26 AM

All replies

  • Please examine the DeploymentShare\Templates folder, since this is the location where the local gpo package resides. There you will find the following:

    Templates\GPOPacks\Win7SP1-MDTGPOPack\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf

    Which reveals what will be modified:

    ;This Security Template provides settings to support the setting recommendations 
    ;in the security guides. Please read the entire contents of the appropriate
    ;security guide before using this template.
    
    ;Copyright (c) 2008 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility.  By using or providing feedback on this documentation, you agree to the license agreement below.
    ;If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
    ;This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS".  Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that user��s particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.  
    ;Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation.  Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property.
    ;Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious.   
    ;Microsoft and the Microsoft product names listed in this data file are trademarks of the Microsoft group of companies; the list of Microsoft trademarks can be found at http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx
    ;The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
    ;You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose.  You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback.  You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.
    
    [Unicode]
    Unicode=yes
    [Version]
    signature=$CHICAGO$
    Revision=1
    [Registry Values]
    MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,537395200
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"2"
    MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
    MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel=4,1
    MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
    MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,1
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature=4,1
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\enableforcedlogoff=4,1
    MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey=4,1
    MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,537395200
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1
    MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
    MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,1
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\disablepasswordchange=4,0
    MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel=4,1
    MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,5
    MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\maximumpasswordage=4,30
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal=4,1
    MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\autodisconnect=4,15
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
    MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
    MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\securitylevel=4,0
    MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy=4,1
    MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\enablesecuritysignature=4,1
    [System Access]
    LSAAnonymousNameLookup=0
    EnableGuestAccount=0
    [Privilege Rights]
    SeChangeNotifyPrivilege=*S-1-5-32-545,*S-1-5-20,*S-1-5-19,*S-1-5-32-544
    SeInteractiveLogonRight=*S-1-5-32-544,*S-1-5-32-545
    SeRemoteShutdownPrivilege=*S-1-5-32-544
    SeEnableDelegationPrivilege=
    SeNetworkLogonRight=*S-1-5-32-545,*S-1-5-32-544
    SeManageVolumePrivilege=*S-1-5-32-544
    SeDenyBatchLogonRight=*S-1-5-32-546
    SeCreatePagefilePrivilege=*S-1-5-32-544
    SeTcbPrivilege=
    SeAuditPrivilege=*S-1-5-19,*S-1-5-20
    SeDenyNetworkLogonRight=*S-1-5-32-546
    SeDenyInteractiveLogonRight=*S-1-5-32-546
    SeSecurityPrivilege=*S-1-5-32-544
    SeDebugPrivilege=*S-1-5-32-544
    

    Cheers! Rens


    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Friday, February 6, 2015 9:26 AM
  • What all that means?

    [System Access]
    LSAAnonymousNameLookup=0
    EnableGuestAccount=0
    [Privilege Rights]
    SeChangeNotifyPrivilege=*S-1-5-32-545,*S-1-5-20,*S-1-5-19,*S-1-5-32-544
    SeInteractiveLogonRight=*S-1-5-32-544,*S-1-5-32-545
    SeRemoteShutdownPrivilege=*S-1-5-32-544
    SeEnableDelegationPrivilege=
    SeNetworkLogonRight=*S-1-5-32-545,*S-1-5-32-544
    SeManageVolumePrivilege=*S-1-5-32-544
    SeDenyBatchLogonRight=*S-1-5-32-546
    SeCreatePagefilePrivilege=*S-1-5-32-544
    SeTcbPrivilege=
    SeAuditPrivilege=*S-1-5-19,*S-1-5-20
    SeDenyNetworkLogonRight=*S-1-5-32-546
    SeDenyInteractiveLogonRight=*S-1-5-32-546
    SeSecurityPrivilege=*S-1-5-32-544
    SeDebugPrivilege=*S-1-5-32-544

    Friday, February 6, 2015 5:54 PM
  • It refers to which sam accounts are authorized to the actions described.

    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Friday, February 6, 2015 7:08 PM
  • So those are not keys that changes in registry?

    only 

    MACHINE\System\CurrentControlSet

    ????

    Saturday, February 7, 2015 7:54 AM
  • Basically every change on your machine is a change in registry...

    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Saturday, February 7, 2015 9:27 AM
  • Yes,

    I want to reverse those change to default..

    Can u help me?

    Thanks.

    Tuesday, February 10, 2015 4:35 AM
  • Start a new deployment, put in your CustomSettings.ini: ApplyGPOPack=NO

    There you have it. Can you mark the first answer I gave as answer, since it is the answer to your question?!

    Thanks!

    Cheers! Rens


    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Tuesday, February 10, 2015 8:02 AM
  • So, do export registry from machine without GPO PACKAGE

    and import registry to machine with GPO PACKAGE?

    Wednesday, February 11, 2015 4:31 AM
  • No, you start a new mdt deployment, deploy the OS without the GPO package being applied. You dont want to undo registry changes by exporting it from another computer and import it to the designated machine.

    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Wednesday, February 11, 2015 8:01 AM
  • So once the computer apply itself GPO with changes in Registry 

    it cant be reversed?

    Friday, February 13, 2015 9:22 AM
  • I think you need some basic understanding about what GPO's are and how they work.

    Normally GPO's are centrally managed from within your active directory. You can enable, configure, disable and delete GPO's this mean they are in effect or not.

    With a GPO package, it's basically the same. It's a local package that configures your machine based on the settings within that package. To make this undone, you need to know what the package configures. This I have layed out for you in the posts above.

    But trying to undo an local applied GPO is a big nono. As I told you before you need to recreate a new image, and not have the local GPO package applied.


    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Friday, February 13, 2015 9:29 AM