Access Denied: Applying a Registry Value Across All a Domain's Computers


Sometimes I come across an important security-related registry value, such as Telnet's AllowTrustedDomain, that I need to configure on all my domain's computers, but I can't find the setting anywhere in Group Policy. How can I automate settings such as AllowTrustedDomain?

You can accomplish this by creating a new administrative template in the Default Domain Policy Group Policy Object (GPO). Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the root of the domain, and select Properties to open your domain's Properties dialog box. Select the Group Policy tab, then select the Default Domain Policy GPO and click Edit to display the GPO's editing window. From the treeview, navigate to Computer Configuration, Administrative Templates; right-click Administrative Templates; and select Add/Remove Templates. In the Add/Remove Templates window, click Add to open the Policy Templates window.

Right-click one of the existing Group Policy administration (.adm) files and select Copy. Then, right-click some white space within the file list and select Paste to create a new file called Copy of <selected .adm file>. Rename the new file to ts.adm. Right-click the ts.adm file, select Open With, and double-click Notepad from the list that appears. After Notepad opens ts.adm, replace the contents with the text that Listing 1 shows, then save and close the file.

Return to the Policy Templates window, select ts.adm, and click Open to return to the Add/Remove Templates window, which should now include ts.adm in the Current Policy Templates list. Click Close, return to the GPO's editing window, and select the new Telnet Settings folder under Computer Configuration, Administrative Templates. If the Telnet settings folder is empty, click View on the menu bar and make sure that Show Policies Only is cleared.

Now, you should see a preference called Let users from trusted domains log on through Telnet. This setting isn't a true policy, but a preference, which is why you need to clear Show Policies Only before you can view it. In Group Policy, red icons indicate preferences; blue icons indicate policies. (For an explanation of the difference between policies and preferences, see To prevent users from trusted domains from using Telnet to log on, disable the Let users from trusted domains log on through Telnet preference. All the computers in your domain will configure this setting the next time they apply Group Policy.

In the ts.adm text, the CLASS MACHINE directive tells Windows 2000 to place the registry values that follow the directive under HKEY_LOCAL_MACHINE. The CATEGORY keyword creates a new folder called Telnet settings under Administrative Templates. The POLICY keyword creates a new policy item in that folder. KEYNAME specifies the key path in the registry, and VALUENAME specifies the name of the value to create when the policy is enabled or disabled. Finally, VALUEON and VALUEOFF specify the values for the registry value when you enable or disable the policy, respectively. Unless otherwise specified, Win2K defaults to using REG_DWORD as the value's data type. END POLICY and END CATEGORY close their respective sections. The \[strings\] directive, although unnecessary for this particular .adm file, is required by Win2K.

You can use this method to manage other registry values on computers in your domain. Simply substitute the appropriate registry subkey and value names in ts.adm.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.