Categories
Planning

How to see which registry settings a group policy object modifies

Taylor Gibb is a professional software developer with nearly a decade of experience. He served as Microsoft Regional Director in South Africa for two years and has received multiple Microsoft MVP (Most Valued Professional) awards. He currently works in R&D at Derivco International. Read more.

How to see which registry settings a group policy object modifies

Today we are going to show you how to use one of our favorite tools, Proc Mon, to see which registry keys are edited when you change a Group Policy setting on your PC.

Using Proc Mon to See Which Registry Settings a Group Policy Object Modifies

The first thing you will want to do is go and get yourself a copy of Proc Mon from the Sys Internals website.

How to see which registry settings a group policy object modifies

Then you will need to extract the folder and run the Procmon.exe file.

How to see which registry settings a group policy object modifies

When Proc Mon opens, you will need to add a condition as follows:

Process Name is mmc.exe then Include

Then click the add button.

How to see which registry settings a group policy object modifies

To get only the registry keys that are changed, we need add another one:

Operation is RegSetValue then Include

Then again click the add button.

How to see which registry settings a group policy object modifies

Once the two rules have been added, you can go ahead and click ok.

How to see which registry settings a group policy object modifies

Now go and open the Group Policy setting that you wish to edit.

How to see which registry settings a group policy object modifies

Before you actually change the setting, switch back over to Proc Mon and clear the log.

How to see which registry settings a group policy object modifies

Then go and change the GPO and click apply.

How to see which registry settings a group policy object modifies

If you switch over to Proc Mon you will see that you have a registry key(s) there. Right-click on it and select the Jump To… option from the context menu.

How to see which registry settings a group policy object modifies

That will fire up Regedit and take you to the exact key which was modified

How can I locate the registry entry for the below values

  • Perform volume maintenance tasks
  • Lock pages in memory

under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\User Rights Management .

I tried the below 3 ways.

  1. Find the Registry key for corresponding Group Policy : (1)Final Link broken (2)Couldn’t locate above in reference guide or MSDN doc.
  2. Which Registry Settings a Group Policy Object Modifies : No policy-related registry key located in Procmon
  3. How Settings are Stored : Nothing insightful in the .ini file.

End goal is to automate configuration thru Powershell [ Set-ItemProperty ]

How to see which registry settings a group policy object modifies

3 Answers 3

As you can see in the Group Policy Settings Reference Guide (see your 1st link; in particular, Windows10andWindowsServer2016PolicySettings.xlsx document), most of security settings (e.g. User Rights, Password Policy, Audit Policy etc.) are not registry keys. Those are stored in the Secedit.sdb database.

For your task, you can use Microsoft’s secedit command line tool (at least, export and import):

Configures and analyzes system security by comparing your current configuration to specified security templates.

Syntax

Parameters

  • Secedit: analyze Allows you to analyze current systems settings against baseline settings that are stored in a database. The analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in.
  • Secedit: configure Allows you to configure a system with security settings stored in a database.
  • Secedit: export Allows you to export security settings stored in a database.
  • Secedit: generaterollback Allows you to generate a rollback template with respect to a configuration template.
  • Secedit: import Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.
  • Secedit: validate Allows you to validate the syntax of a security template.

Answer: Look for the below keys/entries under [Privilege Rights] section in the exported configuration file (you can add/change them easy using Powershell):

  • SeLockMemoryPrivilege Lock pages in memory
  • SeManageVolumePrivilege Perform volume maintenance tasks

A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Group Policy Objects (GPOs) can contain many different kinds of settings. Much of that data is simple registry data. Finding registry settings in GPOs and handling them is not the simplest of tasks and requires some PowerShell. Microsoft has provided some cmdlets for the management of Group Policy and at SDM Software we have provided quite a bit more to enable additional scenarios that cannot be achieved out of the box.

Here is an example of using Microsoft’s native Group Policy cmdlets to find registry settings in a GPO. This example looks at the Registry.pol file in the GPO which contains settings from Administrative Templates as well as other settings that write to the registry.pol file.

In this video I will go through finding managed Administrative Template settings in the GP Editor, through a free tool called registry.pol viewer and through a PowerShell Function I created borrowing the core functionality from GPOGuy’s ADMXtoDSC script.

  • Registry.pol viewer can be found – SDM Software Free Tools
  • ADMXtoDSC script can be found – ADMXtoDSC
    • I began converting this to an advanced function. Check that out here – ConvertToDSC

I’m adding the function that I created to go through the GPO and find all settings in registry.pol file. You can easily add capabilities to find all GP Preference Registry Settings as well. You will need to know a bit about how these functions work but watch the video to see a walk-through of this information. It is a bit long but I think you’ll find it useful.

Check-out the video. Enjoy!

Windows 11/10 has multiple ways to save configuration and settings. The Registry and Group Policy are two popular ways, and they are complementary to each other. If you change a setting in Group Policy, Windows will automatically make changes in the Registry.

How to see which registry settings a group policy object modifies

Compared to the Windows Registry, Group Policy is easy to change as you don’t have to create anything. However, it isn’t easy to find them. So, if you are geeky enough, in this post, we will share a simple command that can help you instantly figure it out.

Group Policy Registry Location in Windows 11/10

You can use any of these methods to find the Registry key for a Group Policy setting. Group Policy to Registry Mapping has been discussed in this post.

  1. Group Policy Search (GPS) service
  2. Group Policy Settings Reference Guide
  3. MSDN
  4. Get-GPRegistryValue

Before we go ahead, be aware that not every Group Policy is available in Registry. Some of the settings are stored in a different place. So you will only find those which are mapped to the Registry.

1] Group Policy Search (GPS) service

Use the Group Policy Search (GPS) service, which allows you to search for registry-based Group Policy settings used in Windows operating systems. Once you open the website, you can search or expand each of them to find Group Policy Settings, Key, Value, and ADMX files.

2] Group Policy Settings Reference Guide

How to see which registry settings a group policy object modifies

You can download an excel sheet from Microsoft—Group Policy Settings Reference Guide, which lists policy settings corresponding to the registry key.

3] MSDN – GPO to Registry Mapping

Microsoft has published a table—Group Policy Registry Table—which offers one to one GPO to Registry Mapping. All you need do is search for the registry path, and it will reveal the exact Group Policy Object. Visit this MSDN link.

4] Get-GPRegistryValue

It is fairly easy to use but only if you can understand how to use it. Here is a sample from Microsoft Document, which explains more on the official page.

I hope the post was easy to follow, and you are now able to find the Registry key corresponding to Group Policy and vice versa.

I wish there were a tool from Microsoft for admins, which would have made it easier, but yes, then there are Excel sheets getting that job done.

How to see which registry settings a group policy object modifies

Date: September 20, 2020 Tags: Group Policy, Registry

As the title, how to automatically map GPOs to their corresponding Windows registry values in PowerShell?

I am now very experienced in PowerShell, but determine which registry value is modified by a GPO with PowerShell is still a little bit too hard to me, currently I am able to use Process Monitor to create custom filters to only include activities of mmc.exe gpedit.msc , then use Tools->”Registry Summary” to get registry entries modified by gpedit.msc, then I can export the entries to a .csv file and import it in powershell and do further commands, but this method doesn’t show which registry key is modified by a GPO, so I have to manually change a GPO and switch to “Registry Summary” to see which registry entry is modified by the last GPO change, this is very inefficient; I am aware there are some existing group policy to registry mappings, but they are incomplete.

So how can I determine which registry entry is modified by a GPO in PowerShell? Any help is appreciated.

Update

As far as I know, Windows Group Policy definitions are *.admx files stored in C:\Windows\PolicyDefinitions folder, and the localization files that make the policy definitions be displayed in gpedit.msc are *.adml files with the same name of corresponding *.admx file stored in a subfolder named the language code of the locale (i.e. en-US) inside C:\Windows\PolicyDefinitions folder, all information about the group policies should be in them, so if I can parse these files, I can map GPOs to their equivalent registry keys.

Just opened one of the .admx files in Notepad++, and found out these files are encoded in plain text, completely human readable, they are just .xml files renamed, so it’s easier than I thought.

I am trying to write a PowerShell script that does this mapping thing.

UPDATE1

So far I have achieved these:

Of course when actually running the script I will use two loops, first loop foreach .admx in folder, second loop use for $index to assign values, I can do it right now.

Just foreach loop through filenames without extension, cast C:\Windows\PolicyDefinitions$.admx to $xml1, and C:\Windows\PolicyDefinitions\en-US$.adml to $xml2, use:

To get display names, it is really simple. But the key does not contain the hivename (i.e. HKEY_LOCAL_MACHINE).

I have worked out this:

To get path of GPO, I assume if it starts with Windows: then the key is stored in HKEY_LOCAL_MACHINE.

How to see which registry settings a group policy object modifies

Today we are going to show you how to use one of our favorite tools, Proc Mon, to see which registry keys are edited when you change a Group Policy setting on your PC.

How to see which registry settings a group policy object modifies

Using Proc Mon to See Which Registry Settings a Group Policy Object Modifies

The first thing you will want to do is go and get yourself a copy of Proc Mon from the Sys Internals website.

How to see which registry settings a group policy object modifies

Then you will need to extract the folder and run the Procmon.exe file.

How to see which registry settings a group policy object modifies

When Proc Mon opens, you will need to add a condition as follows:

Process Name is mmc.exe then Include

Then click the add button.

How to see which registry settings a group policy object modifies

To get only the registry keys that are changed, we need add another one:

Operation is RegSetValue then Include

Then again click the add button.

How to see which registry settings a group policy object modifies

Once the two rules have been added, you can go ahead and click ok.

How to see which registry settings a group policy object modifies

Now go and open the Group Policy setting that you wish to edit.

How to see which registry settings a group policy object modifies

Before you actually change the setting, switch back over to Proc Mon and clear the log.

How to see which registry settings a group policy object modifies

Then go and change the GPO and click apply.

How to see which registry settings a group policy object modifies

If you switch over to Proc Mon you will see that you have a registry key(s) there. Right-click on it and select the Jump To… option from the context menu.

How to see which registry settings a group policy object modifies

That will fire up Regedit and take you to the exact key which was modified

How to see which registry settings a group policy object modifies

That’s all there is to it guys.

More stories

SpaceX’s Dragon Spacecraft Docks with the ISS [Video]

This weekend was the first time a commercial space craft successfully rendezvoused with the International Space Station. Check out this video to see the opening of the hatch.

Become a Vi Master by Learning These 30+ Key Bindings

Vi is a powerful text editor included on most Linux systems. Many people swear by vi and find it faster than any other editor once they’ve learned its key bindings. You can even use vi key bindings in Bash.

What’s the Difference Between Ubuntu and Linux Mint?

Ubuntu and Linux Mint are two of the most popular desktop Linux distributions at the moment. If you’re looking to take the dive into Linux – or you’ve already used Ubuntu or Mint – you wonder how they’re different.

Geek Trivia: What TV Show First Introduced Virtual Reality As A Plot Device?

Think you know the answer? Click through to see if you’re right!

Week in Geek: Google Chrome Rises to the Top of the Browser Heap, Becomes #1

Our last edition of WIG for May is filled with news link goodness covering topics such as a smartphone hijacking vulnerability affects AT&T and 47 other carriers, a possible problem with Windows 8 booting too quickly, half of PC users are pirates according to a study, and more.

What Is a Browser’s User Agent?

Your browser sends its user agent to every website you connect to. We’ve written about changing your browser’s user agent before – but what exactly is a user agent, anyway?

Geek Trivia: Which Spacecraft Will Soon Be The First To Leave Our Solar System?

Think you know the answer? Click through to see if you’re right!

The Best Apps and Cloud Services for Taking, Storing, and Sharing Notes

Is your desk and computer covered with sticky notes? Do you have miscellaneous pieces of paper with bits of information buried in drawers, your laptop case, backpack, purse, etc.? Get rid of all the chaos and get organized with note-taking software and services.

Desktop Fun: Ocean Waves Wallpaper Collection Series 1 [Bonus Size]

Listening to ocean waves as they roll in while at the beach can be very soothing…they can also be a lot of fun if you are into surfing. Let the beauty of the ocean flow onto your desktop with the first in our series of Ocean Waves Wallpaper collections.

How to Repair GRUB2 When Ubuntu Won’t Boot

Ubuntu and many other Linux distributions use the GRUB2 boot loader. If GRUB2 breaks — for example, if you install Windows after installing Ubuntu or overwrite your MBR — you won’t be able to boot into Ubuntu.

When Group Policy objects are applied to a computer, the computer stores important information about the Group Policy objects it is applying in the last place you’d look: the registry. Information about computer policies is stored under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Pol-icy\History key. Information about user policies (relating to the currently logged on user) is stored under the HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur-rentVersion\Group Policy\History key.

To view this information, follow these steps:

1. Click Start, and then click Run. Type Regedit, and then click OK.

2. In the Registry Editor, navigate to one of the following two keys:

□ If you are troubleshooting problems relating to a computer policy, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer-sion\Group Policy\History.

□ If you are troubleshooting problems relating to a user policy, navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer-sion\Group Policy\History.

3. Expand the History key to reveal one or more subkeys relating to Group Policy Extensions.

4. Expand each of the Group Policy Extension keys. You will find one or more subkeys, numbered starting at 0.

The numbers indicate the order in which the policies were applied to the system. Lower numbers were applied first.

5. As shown in Figure 3.11, click each of the keys and examine the values contained within.

File Edit View Favorites Help EM_J Applets ^

1+1 Pi Control Panel Controls Folder O CSCSettings El Q DateTime El Q Dynamic Directory El Q Explorer

0 Extensions & D Group Policy i ID AppMgmt I It) GroupMembership ! t Q History

5>j(Defaultj j REG_SZ

©FileSysPath REG_SZ I^GPOLink ®GPOName ®Link l^lParam IS»] Options |Sj>] Version

(value not set) Default Domain Policy

REG_SZ <31B2F34Q-Q16D-11D2-945F-00CO4FB984F9>-REG_5Z LDAP://DC=cohowineryJ DC=com REG_DWORD 0x00000000 (0) REG_DWORD 0x00000000 (0) REG_DWORD OxOOOfOOOf (983055)

My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\]827D319E-6EAC-l 1D2-A4EA-00CC

Figure 3.11 Group Policy information stored in the registry

An explanation of each of the registry values that can be used follows:

■ DisplayName. DisplayName is the friendly name of the GPO.

■ DSPath. DSPath is the distinguished name of the path to the GPO stored in Active Directory. This attribute will not be present for Local GPOs.

■ FileSysPath. FileSysPath is the path to the Group Policy template, or file-based policy, contained in a Group Policy object. If this is a GPO from the domain, the path will be a Universal Naming Convention (UNC) path to the SYSVOL share on the domain controllers. If this is a Local GPO, the path will be a local path that points to the structure beginning with the path %SystemRoot%\system32\Group-Policy.

■ GPOLink. The GPOLink value identifies what scope the GPO was applied to, therefore affecting the computer or user. The following values are valid:

□ 0= No link information

□ 4= The GPO is linked to an organizational unit

■ GPOName. The GPOName value contains the name of the GPO as it is referenced. For GPOs associated with computers, this name will be the friendly name of the GPO. For GPOs stored in Active Directory, this will be the globally unique identifier (GUID) of the GPO.

■ lParam. The lParam value is used to perform various functions on GPOs.

■ Options. The Options value represents the options selected by the administrator when configuring the GPO link, such as whether to disable the GPO or to force the settings defined in the GPO on subcontainers.

■ Version. The Version registry value specifies the version number of the GPO when it was applied last. The number is used to determine if the GPO has changed since it was last applied.

In the context of troubleshooting, you can use this information to trace GPOs back to their source in Active Directory. You can also determine the order in which Group Policy objects were applied. If the order is not the order you expected, use the Active Directory Users And Computers console to modify the order in which Group Policy objects are applied.

Was this article helpful?

Recommended

Advanced Registry Cleaner PC Diagnosis and Repair

The Windows registry stores critical information about the computer, its configuration, and details of all the applications installed in the system. Inadvertently or maliciously changing users’ permissions to edit Windows registry settings can be exploited to perform Windows registry attacks. Auditing Windows registry permission changes helps IT administrators detect anomalous activities, mitigate threats and accelerate forensic analysis in case of a mishap.

With Native AD Auditing

With ADAudit Plus

How to check Windows registry permission changes activity with ADAudit Plus

Once ADAudit Plus is installed, it automatically configures the audit policies required for Active Directory auditing.

To enable automatic configuration: Log in to the ADAudit Plus web console в†’ Domain Settings в†’ Audit Policy: Configure.

Permission changes in Windows registry can be identified by following the steps below:

Login to ADAudit Plus.

Select the required Domain from the dropdown list.

Go to the Reports tab.

Navigate to GPO Setting Changes.

Select Windows Settings Changes.

How to see which registry settings a group policy object modifies

ADAudit Plus enables IT administrators to have a comprehensive picture of all the activities that happen within their organization’s network. The real-time monitoring capabilities and out-of-the-box reports offered by ADAudit Plus make it easier to track critical changes in Windows registry permissions, and detect and prevent mishaps.

With native AD auditing, here is how you can monitor Windows registry permission changes:

Step 1: Enable required audit policies

Launch Server Manager in your Windows Server instance.

Under Manage, select Group Policy Management and launch the Group Policy Management console.

Navigate to Forest вћ” Domain вћ” Your domain вћ” Domain Controllers.

Create a new GPO and link it to the domain containing the registry to be monitored, or edit any existing GPO that is linked to the domain to open the Group Policy Management Editor.

Navigate to Computer Configuration вћ” Windows Settings вћ” Security Settings вћ” Local Policies вћ” Audit Policy.

The Audit Policy lists all of its sub-policies in the right panel, as shown in the figure below.

How to see which registry settings a group policy object modifies

Under Audit Policy, turn auditing on for Success and failure events of Audit Object Access policy.

Click Apply and OK to close Properties window.

To enforce these changes throughout the domain, run the command gpupdate /force, in the Run console.

Step 2: Enable auditing through Registry Editor

Click Start, Run and type Regedit and press Enter.

In the Registry Editor navigate to the key you want to audit.

Right-click the key and select Permissions.

How to see which registry settings a group policy object modifies

Click Advanced on the Permissions for dialog box and click Add.

How to see which registry settings a group policy object modifies

Apply the following settings

Principal: Everyone

Type: All

Applies to: This key and subkeys

Permissions: Select Full Control check box.

Click Apply, then OK, and close the console.

Step 4: View events in Event Viewer

In Event Viewer window, go to Windows Logs вћ” Security logs.

Click on Filter current log under Action in the right panel.

Search for Event ID 4670, this identifies Windows registry permission changes.

You can double-click on the event to view Event Properties.

How to see which registry settings a group policy object modifies

These steps need to be repeated for all the registry keys to audit changes in registry permissions. Manually checking every event is time-consuming, inefficient, and practically impossible.

Native auditing becoming a little too much?

Simplify Windows registry permission changes auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

ADAudit Plus simplifies monitoring of changes in Windows registry permissions by offering predefined Windows Settings Changes reports which are easily comprehendible. ADAudit Plus also provides the option to generate custom reports and export them in your preferred format (PDF, XLS, HTML, and CSV).

Windows Group Policy History Stored in Registry

As Group Policy Objects (GPOs) are read and applied when the computer starts or when a user logs on, information about each of the GPOs applied is written to the registry. This information includes which Group Policy Extensions applied policy, the order in which the GPOs were applied, version data, and options defined for each GPO. This data is also used to determine changes that have been made to the GPO since the last time policy was applied.

The administrator can optionally configure diagnostic logging of the application of Group Policy by modifying a registry entry on the client computer. These events are recorded in the Application Log of the client computer, which can be filtered by specifying “Userenv” for the “Source” field.

This article describes each of the registry values that may be found in the stored data for each of the applied GPOs.

In the registry, the history of the application of GPOs is broken down by Group Policy Extension.

To Locate the Group Policy History

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

How to back up and restore the registry in Windows

Open Regedt32.exe and locate the following key in the system registry:

    For Group Policy Objects applied to the local computer:

Underneath each of the keys that represent installed Group Policy Extensions, there will be keys for each of the Group Policy Objects applied. Each of these is assigned a number that equates to the order in which they were applied. The first GPO applied is given the number 0 and, as GPOs are applied, the value assigned to the key is incremented.

Below is an explanation of each of the registry values that may be used.

DisplayName

DisplayName is the friendly name of the Group Policy Object as displayed in the Active Directory Management and Group Policy Editor administration tools.

DSPath

DSPath is the Distinguished Name (DN) of the path to the Group Policy Object stored in the Active Directory. For example: LDAP://CN=Machine,CN=,CN=Policies,CN=System,DC= …

This attribute will not be present for Local Group Policy Objects as there is no Active Directory storage locally.

FileSysPath

FileSysPath is the path to the Group Policy Template (GPT), or file-based policy, contained in the Group Policy. If this is a GPO from the domain, the path will be a UNC path to the SYSVOL share on the domain controllers. If this is a Local Group Policy Object, this will be a local path that points to the structure beginning with the path:

GPOLink

The GPOLink value identifies what scope the Group Policy Object was applied to, therefore affecting the computer or user. The following values are valid:

GPOName

The GPOName value contains the name of the GPO as it is referenced. For Group Policy Objects associated with computers, this name will be the friendly name of the GPO. For Group Policy Objects stored in the Active Directory, this will be the GUID of the GPO.

lParam

The lParam value is used to perform various functions on GPOs. This value can be customized by Group Policy Extensions.

Options

The Options value represents the options selected by the administrator when configuring the Group Policy Object Link, such as whether or not to disable the Group Policy Object or to force the settings defined in the GPO on subcontainers.

Version

The Version registry value specifies the version number of the GPO when it was applied last. The number is used to determine if the GPO has changed since it was last applied.

Microsoft’s Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users.

Microsoft provides a program snap-in that allows you to use the Group Policy Management Console (GPMC). The selections result in a Group Policy Object. The GPO is associated with selected Active Directory containers, such as sites, domains or organizational units (OU). The GPMC allows you to create a GPO that defines registry-based polices, security options, software installation and maintenance options, scripts options and folder redirection options.

There are three types of GPOs: local, non-local and starter.

  • Local Group Policy Objects. A local Group Policy Objectrefers to the collection of group policy settings that only apply to the local computer and to the users who log on to that computer. Local GPOs are used when policy settings need to apply to a single Windows computer or user. Local GPOs exist by default on all Windows computers.
  • Non-local Group Policy Objects. A non-local group policy objectis used when policy settings have to apply to one or more Windows computers or users. Non-local GPOs apply to Windows computers or users once they’re linked to Active Directory objects, such as sites, domains or organizational units.
  • Starter Group Policy Objects. Introduced in Windows Server 2008, starter GPOs are templates for Group Policy settings. These objects enable an administrator to create and have a pre-configured group of settings that represent a baseline for any future policy to be created.

There are some Group Policy settings that can help secure a company’s network. For example, through Group Policy, an organization can run scripts, stop users from accessing certain resources and perform simple tasks, such as forcing a particular home page to open for every network user.

Some of these security measures include:

  • Limiting access to Control Panel — through Control Panel, a company can control all aspects of a computer. Limiting who has access to a computer enables organizations to keep data and other resources safe.
  • Disabling Command Prompt — A company can use Command Prompts to run commands that give high-level access to users and bypass other system restrictions. That’s why it’s prudent to disable Command Prompt to ensure the security of system resources. If a user tries to open a command window after Command Prompt has been disabled, the system will display a message indicating that some settings are preventing this.
  • Prevent software installations — if users are allowed to install software, they may install unwanted applications or malware that can compromise a company’s system. As such, it’s better to prevent software installations through Group Policy.

How to see which registry settings a group policy object modifiesA visualization of Group Policy Objects

There are several benefits to implementing GPOs in addition to security, including:

  • More efficient management — GPOs already in place apply a standardized environment to all new users and computers that join an organization’s domain, saving time on setup.
  • Ease of administration — system administrators can deploy software, patches and other updates via GPO.
  • Better password policy enforcement — GPOs determine password length, reuse rules and establish other requirements for passwords to keep a company’s network safe.
  • Configuring folder redirection — GPOs enable companies to ensure users are keeping important company files on a centralized and monitored storage system. For instance, an organization can redirect a user’s Documents folder, which is usually stored on a local drive, to a network location.

The limitations of Group Policy Objects include:

  • They run sequentially — GPOs process actions one after another. Consequently, if many GPOs have to be configured, it can take a long time for users to log on.
  • Flexibility is limited — GPOs can only be applied to users or computers. So they’re limited when it comes to applying settings based on context.
  • Limited triggers — GPOs can only be applied at computer startup, when a user logs on or at set intervals. GPOs can’t react to changes in environment, such as network disconnect or reconnect.
  • Difficult to maintain — there’s no built-in search or filter option to find a specific setting within a GPO, making it difficult to find or fix issues with existing settings.
  • No Version control — changes made to GPO settings aren’t audited. So if an incorrect change is made, it’s impossible to tell what the change was or who made it.

The processing order of Group Policies effects what settings are applied to the computer or end-user. This processing order is known as LSDOU: local, site, domain, organization unit. First the local computer policy is processed, followed by Active Directory policies from site level to domain, then into OU (GPOs in nested organizational units apply from the OU closest to the root first, and continues from there). If there are any conflicts, the last applied policy will take effect.

The following are examples of Group Policy Objects:

  • A GPO might specify the home page that’s first displayed when a user launches Internet Explorer. When the user logs on to the domain, that group policy object is retrieved and applied to the configuration of the user’s Internet Explorer.
  • An organization can deploy shared network printer connections to users from a specific OU of Active Directory by using Group Policy. So when a user logs in to Windows, an assigned network printer will automatically appear in the list of available printers.
  • Admins can use a group policy to adjust settings, such as turning off computer displays are a certain period of time, choosing default programs and preventing users from changing Internet connection options.

Some best practices for GPOs include:

  • Create a well-designed organizational unit structure in Active Directory to simplify applying and troubleshooting Group Policy.
  • Give GPOs descriptive names to enable admins to quickly identify what each GPO does.
  • Add comments to each GPO explaining why it was created, what its purpose is and what its settings are.
  • Don’t set GPOs at the domain level because they’ll be applied to all computer and user objects. That could cause some settings to be applied to some objects unnecessarily.
  • Don’t use the root computers or user folders in Active Directory because they’re not organizational units and they can’t have GPOs linked to them. When a new user or computer object appears in these folders, it should be immediately to the appropriate OU.
  • Don’t disable a GPO. Rather, delete the link from an OU instead of disabling the GPO if you don’t want it to be applied. Disabling the GPO will prevent it from being applied entirely on the domain. That could be a problem because if that particular Group Policy is used in another OU, it won’t work there any longer.

4sysops – The online community for SysAdmins and DevOps

  • Author
  • Recent Posts

How to see which registry settings a group policy object modifies

How to see which registry settings a group policy object modifies

  • FileZilla: Migrate settings and connections, read stored passwords – Fri, Jan 21 2022
  • Microsoft Edge: Open new tab without MSN news, configure start pages with GPO – Tue, Jan 4 2022
  • Turn off web search in Windows 11 using Group Policy – Tue, Dec 28 2021
  1. Activate registry auditing
  2. Setting permissions for registry keys
  3. Configuring SACL via GPO
  4. Evaluating the event log

For example, if you want to protect PowerShell against misuse and record all commands executed from the command line in a log file, a hacker probably wants to disable this function to leave no traces. To do this, he could set the value of EnableTranscripting to 0. This key is under:

To find out about such manipulations, you should monitor the relevant keys in the registry. In our example, these would be those set by Group Policy Objects (GPOs) for PowerShell. As with auditing the file system, three measures are required:

  • Enable registry monitoring via GPO
  • Configure the system access control list (SACL) for the resource in question
  • Analyze the event log

Activate registry auditing ^

The first step is to create a GPO and link it to the organizational unit (OU) whose machines you wish to monitor for changes to the PowerShell keys in the registry.

Next, open the new policy in the GPO editor and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access. (Microsoft has deprecated the settings under Security Settings > Local Policies > Audit Policy since Windows 7.)

How to see which registry settings a group policy object modifies

Activate auditing for registration via GPO

There you activate the Audit Registry setting, where you see two options: Success and Failure. Deciding whether you want to record failed, successful, or both accesses depends on the type and importance of the resource. However, you should find a balance between the relevance of the recorded events and the amount of data generated.

In our example, we limit ourselves only to Success to find out when the value of a key actually changed. Executing this command on the target computers activates the group policy:

And now you can customize the SACL for the registry key.

Setting permissions for registry keys ^

To do this, navigate in regedit.exe to the described position in the registry hive and execute the Permissions command from the PowerShell key context menu. In the subsequent dialog, click on Advanced and open the Auditing tab in the next dialog.

How to see which registry settings a group policy object modifies

Editing the SACL for registry keys under PowerShell

Here you add a new entry. First, choose a security principle for tracking, such as Everyone. In the next step, define which activities to record. For our purpose, we select Query Value, Set Value, and Delete to record that a value for this key has changed.

How to see which registry settings a group policy object modifies

Select the type of accesses to record in the audit log

Again, you should keep in mind that monitoring full access may generate too much data, especially if you configure the SACL further up in the registry tree.

Configuring SACL via GPO ^

When changing the SACL of this key in the registry of many computers, it makes sense to use a GPO. You can configure the necessary setting under Computer Configuration > Policies > Windows Settings > Security Settings > Registry.

There you open the context menu of the container or right-click in the right panel. Then execute the Add Key command. In the following dialog, navigate through the registry until you reach the desired key. If this key does not exist on the local machine, you may also type the path into the input field.

How to see which registry settings a group policy object modifies

You can also change the SACL of a registry key via a GPO

After selecting a key, the same security dialog opens as described above for regedit.exe. Therefore, the following procedure is the same as for configuring the SACL in the registry editor.

Evaluating the event log ^

Finally, you should monitor the entries in the event log to discover suspicious activities. Find these in the Security protocol with the IDs 4656, 4657, 4660, and 4663. As we are only interested in changes in this specific case, the Event IDs 4657 and 4660 are sufficient. ID 4660 represents deletion.

You can retrieve these logs with PowerShell as follows:

How to see which registry settings a group policy object modifies

Output audit logs for registration via PowerShell

If you prefer a GUI, you can create a user-defined view in the Event Viewer.

Subscribe to 4sysops newsletter!

How to see which registry settings a group policy object modifies

Set up a custom view in the Event Viewer to filter out audit logs for registration

As a filter, select Security under Event logs, Microsoft Windows security auditing for By source, and Registry for the Task category. Alternatively, you can of course also filter the view using the event IDs.

4 Comments · Updated: March 14, 2020 · 06:20 PM IST · By Kapil Arya · Applies to: How To, Windows Server

In our past, we’ve posted many articles that require you to make changes in registry. Though, IT professionals mostly prefer to deploy Group Policy settings but sometimes they need to deal with registry only. For such cases, deployment of registry using Group Policy becomes a prime concern.

This article will show you step-by-step approach to deploy a registry key or item using Group Policy. To illustrate this process, we’ll create AllowIndexingEncryptedStoresOrItems registry DWORD at HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search and set it to 1. This registry DWORD is created to allow Windows 10 to index encrypted files .

Deploy A Registry Key Using Group Policy

1. Press + R and type gpmc.msc in Run dialog box to open Group Policy Management snap-in. Click OK.

How to see which registry settings a group policy object modifies

2. In Group Policy Management window, right click on your preferred domain/OU and select Create a GPO in this domain, and Link it here. If you already created a GPO, then you can use Link an Existing GPO instead. Then right click on GPO Object created so far and select Edit.

How to see which registry settings a group policy object modifies

3. This will open Group Policy Management Editor window. If the registry key you want to deploy is machine based, simply go to Computer Configuration > Preferences > Windows Settings > Registry. Else, if it is user based, go to User Configuration, Preferences and proceed to Registry folder. In right pane of Registry, right click and select Registry Item.

How to see which registry settings a group policy object modifies

4. Then under New Registry Properties, select Action as Create to deploy new registry key. Select Hive and then click on browse button.

How to see which registry settings a group policy object modifies

5. Moving on, in Registry Item Browser, locate the registry key and click Select.

How to see which registry settings a group policy object modifies

6. Next, back in registry property window, create the registry item such as registry DWORD, string etc and set its preferred Value data. Click Apply.

How to see which registry settings a group policy object modifies

7. On this property window, you can switch to Common tab which allows to manage additional options for this registry item. Select your option and click OK.

How to see which registry settings a group policy object modifies

8. Now when you return to Group Policy Management Editor window, you will see that registry is finally deployed. Clients will be updated on next GP engine update or you can use gpupdate /force to update GP engine instantaneously.

How to see which registry settings a group policy object modifies

To illustrate this guide, checkout following video:

About Kapil Arya

Kapil is presently a Microsoft MVP in Windows IT Pro expertise. He is Windows Insider MVP as well, and author of ‘Windows Group Policy Troubleshooting’ book. In 2015, Microsoft India accomplished him as ‘Windows 10 Champion’. Being passionate Windows blogger, he loves to help others on fixing their system issues. Kapil has worked with official Microsoft Community Engagement Team (CET) on several community projects. You can follow him for news/updates and fixes for Windows.

Kapil, how do you set the permission for the key once it’s been created via GPO?

^^ You need to initially create registry in the level you can allow permissions for. If you want to set it at User level, you need to go to User Configuration registry section and add registry key in HKEY_CURRENT_USER hive.

Hello Kapil, if I have a need to amend the value name and I just update it via GPO, will it create a new string?

^^ Can you share your question with an example?

Icon file path group policy. It becomes so popular among companies because it can make deployment clear and easy due to the technology of group policy. Rep Power. If I reset the user profile to default then icons are working again, but on subsequents logons the icons are gone again. Set-GPLink Method 2 – GPO to Block Software By Path, Hash or Certificate. msc’ inside the text box and press Enter to open up the Local Group Policy Editor. If this fails to find the file, see [Troubleshooting]. When you make a change in a GPO, the version of the policy (either computer or user) increases. Before reading this article, I recommend you to read the article Google Chrome on Citrix deep-dive to gain an in-depth understanding of all facets of Google Chrome for both Citrix and traditional environments. xml The easiest method to install Group Policy Editor is via downloading the GPEdit. 0 When Folder Redirection is implemented (Folder Redirection Module in ProfileUnity) for Windows 10, and “User’s Files” setting is enabled on the desktop (Desktop Icon Settings). In the Start Screen Layout dialogue box, click Enabled. Sync all offline files when logging off: Hit Windows key + R to open up a Run dialog box. Way 4: Access Group Policy Editor through Command Prompt. Because when admins use the web app deployment type in Intune, shortcuts are only created in the start menu with the default browser’s icon. Hovering over the icon would allow you to view and select one of the open instances. Now you can … Parameter Explanation /p Path– This key is the Path to search, default=current folder. admx from C:\Program Files (x86)\Microsoft Group Policy\Windows 10\PolicyDefinitions. 1 Group Policy. ico” which I have in the C:\icons folder: Once this is done, re-open the This PC folder to see the changes: Repeat this operation for all drives whose icons you need to change. ico), and any sort of executable or shortcut files (. Since the icons are deployed via Group Policy, the icons will automatically appear when manually deleted by users. There’s no shortcut for Local Group Policy … none Every type of file in Windows is registered in the registry. msc editor file from the Windows website. Enter a name for the new GPO that you can identify what it is for easily, then click OK. I tested on my desktop, and it works. /s– Recurse into sub-folders. Remove-GPO: It removes the group policy object. To modify the default Expiration Policy for files sent with the Windows context menu, right-click the ShareFile Sync icon in your taskbar and click Preferences in the options menu. doc icons are showing as a plain white rectangle. msc and press Enter. You can also check the boxes for “Control Panel”, “Network” and “User Files” to display them on the Intune Policy to Prevent Users to Save Files on Local Drives. Extracting the zip file; Open the extracted policy files folder and go to the … Right-click the Organizational Unit, choose Properties and Select the Group Policies Tab. To see the icons inside shell32. none none For “Save as type,” select All Files (*. So, go ahead and download the zip file from the developer page. Yes, I realized that Windows 10 Home doesn’t have Group Policy Editor. Mount points let you specify a Citrix Files folder to mount as a network drive. bat and select Run as Administrator. Switch to the GPO editing mode. The following example gets the path of the current directory where the batch file exists: @echo off echo %

Meeting Room PC Configuration – GPO and Registry Settings Print

Modified on: Mon, 21 Jun, 2021 at 12:34 PM

Recommended Group Policy Settings.

Skype For Business Settings

Other Policy Settings

Appendix – How to set a registry key using Group Policy Preferences.

For organizations that manage their meeting rooms and the Quicklaunch meeting room account centrally (Domain Attached and managed via Group Policy) we generally recommend applying the settings below that are relevant to your configuration.

In practice for large numbers of rooms it will usually be easier to manage these types of settings via group policy than to attempt to manage each PC individually.

Quicklaunch Settings

The following Group Policy and registry settings are configurable from within Quicklaunch Settings under System > General

* Where appropriate these should be integrated into the Group Policy for the appropriate Organizational Unit and/or User

How to see which registry settings a group policy object modifies

Remove Change Password

Removes the Change Password option for the Current User in Windows 10.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Domain member: Disable machine account password changes

Published by Ian Matthews on June 4, 2019 June 4, 2019

From time to time Microsoft changes their ADMX templates and that may mean a setting you have configured becomes orphaned.

Because you can not see the entry when you are EDITING the GPO you can’t delete it; you can only see it in the GPMC SETTINGS tab. So the question then becomes how to delete the rogue GPO setting?

Clone the GPO you are working on so if you screw it up you still have the original work from. Click HERE for details.

Open a PowerShell windows as an Administrator and run the following:

Remove-GPRegistryValue -Name -Key ” ” -ValueName

The REGISTRY PATH is not completely obvious. You have to prepend HKLM or HKCU depending on if it is a COMPUTER or USER policy.

The REGISTRY VALUE is the last item in the path shown.

How to see which registry settings a group policy object modifiesIn my case the remove command it looked like:

Remove-GPRegistryValue -Name Computer-Personalization-Jun2019 -Key “HKLM\Software\Policies\Microsoft\Windows\PreviewBuilds” -ValueName EnableConfigFlighting

If you can’t figure out the value, look at the screen shot to the right.

Microsoft techs had wrongly told me, several times in the past, that it was not possible to remove such an orphaned GPO entry and that the only way around it was to rebuild the GPO from scratch.

The Registry Wizard allows you to create multiple Registry preference items based upon registry settings that you select on a computer. The Registry preference items have the same registry keys and values as those that you select, although you can modify them after creation. The wizard organizes the Registry items in a collection (folder) structure that mimics the structure of the registry. Each Registry item generated by the wizard allows you to configure a key or a value in the Windows registry.

To create multiple Registry preference items

Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.

In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

Right-click the Registry node, point to New, and select Registry Wizard.

Select the computer on which the desired registry settings exist (or on which similar settings you will modify exist), then click Next.

Browse to and select the check box for each key or value from which you want to create a Registry preference item. Select the check box for a key only if you want to create a Registry item for the key rather than for a value within the key.

Click Finish. The settings that you selected appear as preference items in the Registry Wizard Values collection.

Right-click the Registry Wizard Values collection in the console tree, click Rename, and type a descriptive name for the collection.

Additional considerations

  • You can modify the settings in the individual Registry preference items created by the Registry Wizard. For more information, see Configure a Registry Item.

You can reorganize Registry preference items and collections by dragging them into collections that you create. The structure of collections of Registry preference items has no impact on the position of keys and values in the Windows registry. For more information, see Organize Registry Items.

You can use item-level targeting to change the scope of preference items.

Preference items are available only in domain-based GPOs.

Windows periodically refreshes group policy settings throughout the network. On client computers, this is done by default every 90 minutes, with a randomized offset of plus or minus 30 minutes. When you make a change to a group policy, you may need to wait two hours (90 minutes plus a 30 minute offset) before you see any changes on the client computers. Even then, some changes will not take effect until after a reboot of the computer.

You can change the default values by modifying the settings in Administrative Templates. You cannot schedule a specific time to apply a Group Policy Object (GPO) to a client computer. Software installation and folder redirection settings in a GPO are processed only when a computer starts (computer-based policies) or when the user logs in (user-based policies), rather than at a particular time.

To force your Windows computer to check for group policy changes, you can use the gpupdate /force command to trigger the updating process. This compares the currently applied GPO to the GPO that is located on the domain controllers. If nothing has changed since the last time the GPO was applied, then the GPO is skipped.

If Windows accepts the request, it will display the following message:

User Policy update has completed successfully.
Computer Policy update has completed successfully.

For more about this command, from the Start menu, select Help and Support , and then search on group policy management .

First of all let’s remember a standart group policy precedence: Local — Site — Domain — Organisation Unit (LSDOU). From less specific level to more specific. It means that Local GPO settings will apply first, then Site-level, Domain-level etc. And the last applied (OU GPO) settings have the highest precedence on the resulting system. However, if a domain administrator didn’t set some settings in the higher-level GPOs (e.g. Enable/Disable Windows Defender service) but the same settings have been configured on the Local-level GPO — the last ones will be apply. Yes, even the machine is a domain member.

The Local GPO files are located in %systemroot%\System32\GroupPolicy hidden folder and, of course, it has two scopes (located in subfolders): for User and for Computer. Any user (here I mean a «bad guy» of course), having access to this folder(s), can copy a Registry.pol file and check/change a Local GPO settings. An intruder can use a third-part apllication, such as a RegPol Viewer:

How to see which registry settings a group policy object modifies

Or he can copy all %systemroot%\System32\GroupPolicy subfolders to the his machine and change these settings via standart Group Policy Editor (gpedit.msc) snap-in:

How to see which registry settings a group policy object modifies

After a settings changing the intruder can copy these files back to the hacked machine and replace the current local policies. At the next time the GP updating process occures, all new GPO settings, including local ones, will be applied. In my example the Windows Defender service becomes turned off:

How to see which registry settings a group policy object modifies

Well, how to detect these actions of intruder using digital forensics methods? Actually, it’s not a big deal if we have a hard disk clone (image) for investigation.

Let’s analyze the image of interest with plaso. Usually, if someone with administrative rights changes a Local policy legally, he does it with a standart Windows snap-in. So, we’ll obviously detect sequential actions: open mmc.exe -> access Registry.pol & comment.cmtx files:

Also you can check the Microsoft-Windows-GroupPolicy Operational.evtx log file for Event ID 4016 (Windows 10) occured at the same time with Registry.pol changed. Note: as I discovered, only changes were made in Administrative Templates are registering in GPO logs.

If someone bad changes a Local policy files using copy and replace, you’ll detect a similar events in plaso rezults:

How to see which registry settings a group policy object modifies

In this example I’ve copied all Local policy files manually to the %systemroot%\System32\GroupPolicy folder (it was a VMware virtual machine, so you can see VMware-DnD folder) and after 10 minutes I’ve executed gpupdate /force command. You see that Windows Defender state was changed to OFF — because this option I made in Local policy before copying.

Ok, in conclusion — if some unexpected configuration changes were detected on the computer, try to check if it was an intruder-driven Local policy changing or not.

Thank you again for attention! I’ll be back soon with a new good stuff!

Updated: Jun 2021
– Easier method to deploy with /t
– Added example to set lgpo to “Not Configured”

Have a need to update just a few local GPO settings on your client machines? Maybe you’ve deployed a full CIS Baseline and just to tweak just one or two things. Or maybe SCCM isn’t properly reverting WSUS settings when disabling software updates. If so, making a few updates with lgpo.exe is simple. Here is how you can change a handful of lgpo settings on your client machines without having to re-deploy an entire LGPO baseline. I’ve included several lgpo examples as well.

The Process

1. Download LGPO from the Microsoft Security Compliance Toolkit 1.0 here
2. Extract the zip and copy it to a folder. I’ll use C:Temp
3. Open cmd as administrator and change directory to c:\Temp
4. Make any changes to local group policy via gpedit.msc
5. Take a backup by running this command:
lgpo.exe /b C:\Temp /n “Backup”

How to see which registry settings a group policy object modifies

6. This exports the LGPO into a folder with a GUID. I would recommend re-naming to something easier. Example, “LGPO_Backup”
7. Now you are going to want to parse this backup into a text file. Run this command:
LGPO.exe /parse /m C:\Temp\LGPO_Backup\DomainSysvol\GPO\Machine\registry.pol >> C:\Temp\lgpo.txt

How to see which registry settings a group policy object modifies

Note: You can also do this for “user” settings as well by loading the registry.pol in DomainSysvol\GPO\User\registry.pol.

This text file will contain every setting configured. Delete the ones you don’t want and then find the ones you do want and edit those. In my example I want to allow users to add applications to the “public” firewall profile as its currently being blocked. I edited by text file to look like this:

9. Once you have made your changes, you simply need to apply the .txt file with /t switch (new in version LGPO 2.2 or newer)
LGPO.exe /t C:\Temp\lgpo.txt

Note that if you are apply user level settings, you will need to use the /u switch.

LGPO Example for setting “Not Configured”

If you want to simply revert some settings to “Not Configured” you will need to add a “DELETE” to each setting you want to delete. In the following lgpo example, I want to revert WSUS settings so that Windows Updates can be managed by Windows Update for Business.

Save the file, and apply with the /t command

Launch GPedit.msc and you will see that the WSUS setting is correct set to be “Not Configured”

How to see which registry settings a group policy object modifies

I also verified that the specific registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate are removed as well.

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interface can all use the registry. Here are some related WSUS contents. Handy WSUS Commands(Windows Server Update Services Commands, WAUACLT, PowerShell and USOClient), how to Start, Stop and Restart Windows Server Update Services (WSUS) via PowerShell and CMD, Windows Server Update Services: Windows 2016 Servers does not show up on WSUS console, and WSUS clients appear and disappear from the WSUS Update Services console.

Steps: The below syntax should be saved with the .reg extension and run in order to create the registry keys: In this step, I will be using the registry key as this can also be used to point the server to the Upstream server.
– Create the registry key and save it anywhere on your PC, double click to run the reg file created, and reboot your PC.

Here is how the registry settings would look like, you can modify this by specifying the IP address. In the previous example, i used the local group policy. For more articles written by me on the windows registry, see the following hyperlinks. What is Registry Editor and how to access the registry hives? and how to search through the Windows registry.

After saving the file with the .reg extension and running it, these entries will be created in the registry

Note: You can also use the local group policy alongside additional options.

In order to be reported and have the WSUS server approve updates on the server, run the following commands below. These commands below force our servers to contact the WSUS server.

This blog provide the information on IT Infrastructure Technologies and some of technical issues details as per my knowledge and experience.

Friday, September 14, 2012

How to check which GPO applied and which registry changing by GPO

Hi Guys,
I am adding one more article here because I feel it would be more benificial for all of us who worked on Microsoft platform under Administrative task, many of us worked or working with Group Policy, even I worked for many years but intresting is, I never saw which registry being changed by applying Group Policy Objects on server.

You can open RUN box from start menu, enter ” RSOP.MSC” which will open a seperate window for Resultant set of Policies and you can see all policy applied to box.

How to see which registry settings a group policy object modifies

Once the console opens you will be able to see which settings have been applied to your PC.
Note: Only settings that have been applied to your machine and user account will show up.

How to see which registry settings a group policy object modifies

You can use command prompt as many are lover of it, When using the command line, it should be noted that you have to specify the scope of the results. To find all the policies that are applied to your user account, you would use the following command:
gpresult /Scope User /v” (Here you can save it to text file by adding >filename.txt)

Then if you scroll down, you will see the the Resultant Set Of Policies for User section.

How to see which registry settings a group policy object modifies

If you are looking for all policies applied to your Computer, all you need to do is change the scope:
gpresult /Scope Computer /v

If you scroll down, now you will now see that there is a Resultant Set Of Policies for Computer section.

How to see which registry settings a group policy object modifies

Now, question is, how do we check which registry settings added by modified group policy object. so we can use one of fantastic tool, Process Monitor here.

Then extract and run it locally.
When Proc Mon opens, you will need to add a condition as follows:
“Process Name is mmc.exe then Include”
Then click the add button.

To get only the registry keys that are changed, we need add another one:
“Operation is RegSetValue then Include”
Then again click the add button.

Once the two rules have been added, you can go ahead and click ok.

Now go and open the Group Policy setting that you wish to edit.

Before you actually change the setting, switch back over to Proc Mon and clear the log.

Then go and change the GPO and click apply.

If you switch over to Proc Mon you will see that you have a registry key(s) there. Right-click on it and select the Jump To… option from the context menu.

That will fire up Regedit and take you to the exact key which was modified

Normally when you think of Windows Registry, you’re normally worried about the two sections: HKEY_LOCAL_MACHINE (HKLM) and HKEY_CURRENT_USER (HKCU).

It’s fairly obvious that settings under each area apply to either the PC itself (machine) or just to the currently logged in user. This is usually fine, but there are scenarios where there’s a setting that will only apply to a machine due to how the program is written, but you actually want to turn it on or off based on the logged on user.

With Group Policy Preferences (GPP) which was introduced with Windows Server 2008, this is much easier to do. Before this, you would have need to have written complex logon scripts using 3rd party tools to perform lookup commands, create variables and then adjust the registry accordingly, while providing administrator credentials.

GPP lets you apply registry settings rather easily. One of the main benefits of GPP is how flexible and granular you can be with the settings you apply.

This is how I would normally use to deploy a setting, but have it easily managable: Have two settings for the registry, one setting it on and the other off (normally done by a 1 for on, 0 for off but it depends on the setting). The targeting for having the setting on or off is based by user membership to an Active Directory (AD) group, but the setting is not applied in the user context meaning it’s applied by ‘System’ which will have full access to the HKLM registry.

This will then mean the HKLM setting changes from 0 to 1 and back based on which user logs in!

I prefer this than just applying particular users individually to the item because it will reduce processing time having a single check vs many, and that anyone can easily manage an AD group rather than mucking about with Group Policy and potentially doing something wrong, affecting the entire user base.

How to create a Group Policy that applies HKLM settings per user:

First, create a Policy. I’m going to assume you’re able to open Group Policy Management and create a Group Policy Object (GPO).

We’ll be working under User Configuration > Preferences > Windows Settings > Registry.

Here’s what you should see without my registry item already created:How to see which registry settings a group policy object modifies

Right click in the big open white space and choose New > Registry Item. Fill in the General tab for the registry item you want to create. Here’s an example:

How to see which registry settings a group policy object modifies

Next, go to the Common tab and tick ‘Item Level Targeting’. Then click the ‘Targeting’ button and you’ll be taken to the Targeting Editor. This is where all the granular control is, and you’ll find many options on what criteria needs to be met to either apply, or not apply the registry item.

You can define what you like for the rules, but I’ll be doing ‘the user is a member of the security group’. You can click the ellipsis … button and find your group in Active Directory (or quickly go there to create it first).

How to see which registry settings a group policy object modifies

After you’ve done this then pressed ‘OK’ twice, you’ll have your first registry entry ready to apply. We need a second one to do set the registry setting to a different value if a user is NOT in the group, so right click on the registry item and choose ‘copy’ then right click on the blank area and choose ‘paste’.

Go into the properties of your copied item, and change the value data to the second setting, and go into the ‘Targeting’ area and change the rule to ‘Is Not’ rather than ‘Is’ under the ‘Item Options’ dropdown menu.

One note is that AD group membership is checked when the user logs in, so if you’re testing and running ‘gpupdate’ to force a group policy check, it may not work as it won’t realise the user is in or out of the group. Just log off and back on to test instead.

I am a big fan of Group Policy Preferences and this is one of the examples of how powerful it can be, so if you are not already using it – get started!

Posted: June 30th, 2015

System administrators often need to deploy one or more Registry Keys in business environment. Customized software or hardware need particolar configurations and companies usually have solutions tailored to their needs.

Whatever the reason is, a Group Policy is the best way to deploy a Registry Key in an Active Domain Directory Services.

The configuration is quite simple and quick.

Open the Group Policy Management panel and create a new Group Policy Object:

How to see which registry settings a group policy object modifies

How to see which registry settings a group policy object modifies

Go to the Settings tab. Right-click on Computer Configuration or User Configuration and select Edit:

How to see which registry settings a group policy object modifies

You can deploy the Registry Key on per-computer or per-user basis. We chose a per-computer model. Select New Registry Item from the dropdown menu:

How to see which registry settings a group policy object modifies

Now you need to specify the Registry Key you want to update, replace, create or delete:

How to see which registry settings a group policy object modifies

Click Ok and the Registry Key will be deployed:

Exemptdomainfiletypepairsfromfiletypedownloadwarnings group policy. This adds the ability for administrators to configure trusted protocol/origin combinations (such as Microsoft 365 apps) for their end-users to suppress the confirmation prompt when navigating to a URL that Details: Local Group Policy Editor and the Resultant Set of Policy snap-in are available in Windows 10, 8. However, an import from Firefox is possible by Group Policy, but not Intune (at the time of writing). I shouldn’t have to allow the download every single time! Microsoft docs mention adding a group policy with the domain and the allowed file type, but I can’t find the group policy they mention, and the registry path they list doesn’t exist on my computer. The release of Windows 8. After migration to the new Chromium-Edge browser from Microsoft, we started to have problems with the Chromium-Edge group policy not applying. On the Settings page, in the Search for Group Policy Clien t and right click on the services and go to properties. MS16-072: Security update for Group Policy: June 14, 2016. Highlight a policy, and select Edit from the Action menu to open the policy for editing. In the drop-down menu, choose “Settings. Morningstar Rating. to save a Local Group Policy Editor console and choose which GPO opens in it for example from the command line, select the Allow the focus of the GP Group policy support added that lets administrators add site + app combos that are trusted to launch without the confirmation prompt. BRFH. Group Policy Administrative Templates Follow the step by step below to set wallpaper using Group Policy: 1. Houthis Launch Strike on Abu Dhabi. Michael Mann recruited more than 450 of their peers to sign an open letter calling on PR and ad agencies to stop working with fossil Secure DNS (DNS-over-HTTPS) support. Match customized keyboard shortcuts to VS Code. 1, 8, 7: Pro, Enterprise, Premium, Professional, Ultimate, MS Windows-Server 2019, 2016, . Before reading this article, I recommend you to read the article Google Chrome on Citrix deep-dive to gain an in-depth understanding of all facets of Google Chrome for both Citrix and traditional environments. Barfresh Food Group Inc. Thanks Created by eBay Turbo Lister The free …. 41 to the stable branch. Any content of an adult theme or inappropriate to a community web site. Look for the tab labeled Available Stand-alone Snap-ins and click on Group Policy Object Editor. txt file format. com/used/Hyundai/2021-Hyundai-Kona-salem-or-6d3246600a0e0 Antique Civil War Era 1800’s Old Hand Made Clay Marbles – 15 – Multicolor. Previously, to If you’re familiar with Group Policy Objects (GPOs), then you can think of CSPs as kind of like small, pseudo-GPO’s in that they contain settings that you configure centrally via an MDM solution like Intune. com then contoso. If I disable smart screen within Edge, the file downloads without warnings. netsh winsock reset. Op · 27d. com without interruption, … This tutorial will show you how to enable, disable, or force sign in to the Chromium based Microsoft Edge with a Microsoft account or work/school account for all users on the computer. Belinda Kendall. The file type extension entered must be in lower-cased ASCII. Thanks Created by eBay Turbo Lister The free … To set a user logon script, open the User Configuration node of the Group Policy Editor, click Windows Settings and then click Scripts (Logon/Logoff). Beginning with Microsoft Edge version 86, settings to control Secure DNS on un-managed devices is available. dll files) are subjected to a higher Thanks for the update. A dangerous file type. if contoso. Here’s the drawback: for every Group Policy … Local Group Policy Object (LGPO) is a command-line tool for automating the management of local policy on systems that aren’t joined to an Active Directory domain. Thanks Created by eBay Turbo Lister The free … Run Group Policy Editor in Windows 10 Home. fill out the mini Antique Civil War Era 1800’s Old Hand Made Clay Marbles – 15 – Multicolor. g. This adds the ability for administrators to configure trusted protocol/origin combinations (such as Microsoft 365 apps) for their end-users to suppress the confirmation prompt when navigating to a URL that But even having to configured 10 copies of Microsoft Security Essentials (MSE) can be a pain so below is a quick tutorial on how you can Group Group Policy for Microsoft Security Essentials Download Microsoft Security Essentials from Official Microsoft; Can you run Microsoft Security Essentials on Windows 10. NewTabPagePrerenderEnabled – Enable preload of the new tab page for faster rendering. 99 per cent of top MPs ignore laptop security. Internet Explorer mode: Houthis Launch Strike on Abu Dhabi. Its purpose is to reduce the time it takes to perform certain scenarios for synchronous foreground Group Policy refresh. com without interruption, and MSG files to download from any site. com will use the policy from DefaultJavaScriptJitSetting, if Open the group policy editor and go to Microsoft Edge > Extensions > Configure extension management setting policy. I’ve previously spoken about the magic of the File Type Policies component — a mechanism that allows files to be classified by their level of “dangerousness”, such that harmless files (e. 0 version was released on September 24, 2021. he was friendly, alter and oriented times 4. 1.

less than one per cent of ministers accept offer of a free laptop lock

Ever seen extra registry settings in your group policy manager console?

How to see which registry settings a group policy object modifies

This most likely came when you updated your ADMX templates with new Windows 10 templates, but no worries your settings are not lost!

The settings will still apply on the supported operating system, but if you want to change the setting? Do I have to delete the group policy and create a new? No, no!

The reason for “Extra Registry Settings” are simply that the ADMX files cannot translate the setting into a “clickable” settings.

Very, very short explanation of ADMX/ADML

When you update the group policy templates they consist of two file types ADMX and ADML.

ADMX these files are translator files from a registry setting to a graphic interface, this is also where all the options for the settings are stored

ADML are located in a language folder, i.e. en-us. And this is where all the settings are translated into your language.

These pictures may help you to understand what the files are used for

The ADMX file, hold information like where the setting are located and what type of setting Machine/User, Setting value and more

How to see which registry settings a group policy object modifies

In the below picture I try to describe how the ADML are used to translate the variables in ADMX to a more user friendly text

How to see which registry settings a group policy object modifies

So what actually happens when Extra registry settings is showing up for you is that a setting you have set long time ago is not found in any ADMX file anymore.

All settings are matched to the a key and valueName in the ADMX file, and if the setting isn’t found “Extra registry setting” will show up.

Ok, so I understand, but how do I solve this? – There are a couple of ways

  • Delete the group policy and re-create it. May not be the most time efficient solution

The other two options requires that you either have the old ADMX/ADML files (you can copy them from an other computer: %WinDir%\PolicyDefinitions) or just have an old computer installed with the target operating system you need to view the setting

  • You can locate the central SYSVOL store. Backup the existing \\domain\Sysvol\domain\Policies\PolicyDefinitions folder and replace the ADMX/ADML files with the old once. When you are done don’t forget to restore. I would recommend this solution in a lab environment or very, very small environment.
  • My favorite, logon to an old computer, or a management computer. Start my installing appropriate version of RSAT (Remote Server Administration Tools) and add the feature of Group Policy Management Console. Place your old ADMX/ADML files in the local PolicyDefinitions folder (%WinDir%\PolicyDefinitions), NOT on the central store. Now to the nice part, create/change this registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\Group Policy\EnableLocalStoreOverride [REG_DWORD] = 1. Restart the group policy mangement console, locate your group policy object and now you can manage the setting. When you are done, just change back the registry value to 0 or delete it.
    The best part with the last option is that you may have multiple PolicyDefinitions folders, like the illustration below, and depending what you want just rename the folder to PolicyDefinitions and restart GPMC – done.
    How to see which registry settings a group policy object modifies

You can use this command to change the registry value

REG.exe ADD “HKLM\SOFTWARE\Policies\Microsoft\Windows\Group Policy” /v EnableLocalStoreOverride /t REG_DWORD /d 1 /f

REG.exe ADD “HKLM\SOFTWARE\Policies\Microsoft\Windows\Group Policy” /v EnableLocalStoreOverride /t REG_DWORD /d 0 /f

Are you running Windows 7/8.x/2008R2/2012/2012R2 then you need a KB, this KB also describes this registry change

Update [27 October 2017)

I got tips from a reader that to use a third option to “get rid” of the Extra Registry Settings. Basically that is to create your own custom ADMX/ADML with the setting you see. When the ADMX/ADML is in place, start editing your GPO and set the GPO to Not Configured and the setting will disappear.

Here are some information to get you started with this

There may be 3rd party applications out there to help you as well.

If you need more information regarding this ping me and I will do a post in detail how to create custom ADMX/ADML files

Did I miss anything or did you notice something wrong? I’d be happy to hear from you, you can reach me directly from contact page or twitter