Skip navigation
GP Registry 2.JPG

How to Use Group Policy to Push Windows Registry Keys to End Users

.REG files tend to be best suited for one-off situations; a better option for pushing Windows registry keys is via Group Policy.

As an administrator, there are any number of reasons why you might need to push Windows registry keys to users’ devices. For example, I know of at least one organization that uses registry keys to prevent the installation of blacklisted applications. A more common use is to use registry settings to enforce a browser’s security settings.

One somewhat common method of adding Windows registry keys to an end user device is to create a .REG file. A .REG file is essentially just a file containing one or more registry entries. Opening such a file on a Windows computer causes those registry settings to be ingested and applied. While this technique does indeed work, using .REG files isn’t usually the best option for applying registry settings to end user devices.

One of the biggest problems with using .REG files is the lack of transparency into the file’s purpose. While it’s true that a .REG file is really just a text file that has been given a .REG extension. That means that you can open a .REG file using Notepad or any other text editor, and see exactly what registry settings exist within the file. You can see an example of this in Figure 1.

GP Registry 1.JPG

Figure 1

.REG files are really just text files and can be opened in Notepad.

Even so, some settings within the registry can be a bit cryptic. Unless you were the one who created a particular .REG file, it can be difficult to determine what the file’s true purpose is (although there are ways to find out).  This is an important consideration since a malicious or poorly constructed .REG file has the potential to do significant damage.

Another issue with using .REG files is that they tend to be best suited for one-off situations. For example, an administrator might use a .REG file to add a collection of registry settings to a non-domain joined PC.

A better option for pushing Windows registry keys to end user devices is to do so via Group Policy. Obviously, this technique is only suitable for use on systems that are domain joined.

Pushing Windows Registry Keys Via Group Policy

To get started, the first thing that you will need to do is to make sure that you have the appropriate tools installed. If you are working from a Windows 10 PC, you will need to install the Remote Server Administration Tools. If you are working directly from the server console on a domain controller, then everything that you need is already installed. In any case, go ahead and open the Group Policy Management console.

Once the console opens, navigate through the console tree to Group Policy Management | Forest | Domains | | Default Domain Policy (or the policy that you want to edit). Now, right click on the Default Domain Policy (or the policy that you want to edit), and choose the Edit command from the shortcut menu. You can see what this looks like in Figure 2.

GP Registry 2.JPG

Figure 2

Right click on the Default Domain Policy and choose the Edit command from the shortcut menu.

At this point, Windows will open the group policy for editing. Before you configure Group Policy to push a registry setting, however, you need to stop and consider whether the registry setting should be applied at the user level, the computer level or both.

If you need to apply a registry setting to the users the group policy applies to, navigate through the Group Policy Management Editor to User Configuration \ Preferences \ Windows Settings \ Registry. Now, right click on the Registry container and choose the New | Registry Item from the shortcut menu, as shown in Figure 3. When you do, Windows will display a dialog box that allows you to provide the details for your intended registry modification.

GP Registry 3.JPG

Figure 3

This is where user level registry settings can be added to Group Policy.

The process for creating computer-level registry settings is nearly identical. For this, you will need to navigate through the console tree to Computer Configuration \ Preferences \ Windows Settings \ Registry. Once again, right click on the Registry container, and select the New | Registry Item commands from the shortcut menu, as shown in Figure 4.

GP Registry 4.JPG

Figure 4

This is where computer-level registry settings can be added to Group Policy.

Finally, enter the details for the registry item that you wish to apply to the Windows computers on your network.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish