|
View Full Version : Installing registry hack on multiple PCs ?
What I saw in the demo was truly nice! Without a doubt some wonderful
features in PMSE!
However, there are two reasons I can think of to hack ADM templates:
1) Experience. The more you work with these the better you know how
to extend the functionality of the OS. True it's somewhat involved but
once you know it you can do anything ANYWHERE
2) Cost: I handle many clients (subcontracted LAN admin.) so I don't
have the luxury of purchasing and installing and using PMSE on most of
my client's networks.
I like these types of tools but it's always best to know the OS's
flavor of tools, too, so you're not out in the cold when you don't
hvae the luxury of using these third party ones.
>There's really no reason to ever hack an ADM template again, but I must
>admit I am a little biased.
>
|
Fran,
PolicyMaker Registry Extension is entirely free:
http://www.desktopstandard.com/policymaker/re
Regards,
Eric
wrote in message news:i1ren1tp2n211lmurd37uma94ibflh9r34@4ax.com...
> You can take the expensive way out and buy PolicyMaker from
> DesktopStandard. A more rewarding way might be to understand how to
> create your own admin templates:
>
> http://support.microsoft.com/?kbid=323639
>
> This is for Windows 2000 but the same technique applies to Windows
> 2003. This is a way to extend Group Policy items to include your
> registry hacks.
>
> -Fran-
>
>>We'd like to modify the registry on multiple PCs on our Win2000 domain.
>>
>>What's the easiest way to accomplish this ? Scripting ? Third-party
>>software
>>to push out the .reg file and run it locally ? Group policy ? Resource
>>Kit
>>?
>>
>>Any useful suggestion much appreciated.
>>
|
Thanks, Eric. I didn't know that. I was referring to PolicyMaker.
>PolicyMaker Registry Extension is entirely free:
>
>http://www.desktopstandard.com/policymaker/re
>
>Regards,
>
>Eric
|
Sanur no longer exists. The program is now CPAU.
http://www.joeware.net/win/free/tools/cpau.htm
However, all of these are bad approaches if you're trying to keep your
systems secure. While CPAU allows you to save the script as an
encrypted file and load it (it does work well, by the way) it's not
the right approach for registry hacks on client machines.
I published a link in this thread about creating adm templates.
There's a good article at TechNet about creating administrative
template files and using them to extend group policy items. Worthy
reading!
-Fran-
>If you're prepared to violate basic security principles
>then you can use sanur.exe. It lets you pipe a password
>into the command.
>http://www.commandline.co.uk/sanur/
|
My pleasure Fran. PolicyMaker is a line of products currently consisting of
24 various extensions to Group Policy. You were probably thinking of the
PolicyMaker Standard Edition (PMSE) package of 21 extensions, which includes
the Registry Extension. Even in PMSE, the Registry Extension operates
independently of the others and is completely free. It's actually the same
extension as the single one included in the PolicyMaker Registry Extension
(PMRE) free product.
You probably know all of this, but for those who are looking to solve this
problem...
The security and management model is exactly the same as with ADM
temaplates, but instead of editing templates, you are simply browsing to to
settings, either locally or remotely, can access any registry type and
location, filter each individual setting using any combination of 25
graphical filters, generate and embed variables into values, enable/disable
tatooing, document each setting in the policy, export and import settings
to/from XML using drag and drop, RSoP planning and logging fully supported,
and it's integrated with GPMC backup and restore (and the free GPOVault
change control extension to GPMC).
There's really no reason to ever hack an ADM template again, but I must
admit I am a little biased.
Best,
Eric
wrote in message news:42ufn1hqr2h7ke1fgovvr5ihugeeoji098@4ax.com...
> Thanks, Eric. I didn't know that. I was referring to PolicyMaker.
>
>
>>PolicyMaker Registry Extension is entirely free:
>>
>>http://www.desktopstandard.com/policymaker/re
>>
>>Regards,
>>
>>Eric
|
You can take the expensive way out and buy PolicyMaker from
DesktopStandard. A more rewarding way might be to understand how to
create your own admin templates:
http://support.microsoft.com/?kbid=323639
This is for Windows 2000 but the same technique applies to Windows
2003. This is a way to extend Group Policy items to include your
registry hacks.
-Fran-
>We'd like to modify the registry on multiple PCs on our Win2000 domain.
>
>What's the easiest way to accomplish this ? Scripting ? Third-party software
>to push out the .reg file and run it locally ? Group policy ? Resource Kit
>?
>
>Any useful suggestion much appreciated.
>
|
We'd like to modify the registry on multiple PCs on our Win2000 domain.
What's the easiest way to accomplish this ? Scripting ? Third-party software
to push out the .reg file and run it locally ? Group policy ? Resource Kit
?
Any useful suggestion much appreciated.
|
"John" wrote in message
news:CmN7f.7992$tl5.7288@trnddc02...
> We'd like to modify the registry on multiple PCs on our Win2000 domain.
>
> What's the easiest way to accomplish this ? Scripting ? Third-party
software
> to push out the .reg file and run it locally ? Group policy ? Resource
Kit
> ?
>
> Any useful suggestion much appreciated.
>
>
The simplest way would be to include this command in
your netlogon batch file:
regedit /s \\YourServer\netlogon\sample.reg
You may need to check your permissions.
|
From: "John"
| We'd like to modify the registry on multiple PCs on our Win2000 domain.
|
| What's the easiest way to accomplish this ? Scripting ? Third-party software
| to push out the .reg file and run it locally ? Group policy ? Resource Kit
| ?
|
| Any useful suggestion much appreciated.
|
Via the login script such as...
regedit /s fixRegistry.reg
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
You mean using a logon script ?
"Pegasus (MVP)" wrote in message
news:OZsqHOk2FHA.2604@TK2MSFTNGP12.phx.gbl...
>
> The simplest way would be to include this command in
> your netlogon batch file:
>
> regedit /s \\YourServer\netlogon\sample.reg
>
> You may need to check your permissions.
>
>
|
Yes.
"John" wrote in message
news:lxN7f.7994$tl5.1955@trnddc02...
> You mean using a logon script ?
>
> "Pegasus (MVP)" wrote in message
> news:OZsqHOk2FHA.2604@TK2MSFTNGP12.phx.gbl...
> >
> > The simplest way would be to include this command in
> > your netlogon batch file:
> >
> > regedit /s \\YourServer\netlogon\sample.reg
> >
> > You may need to check your permissions.
> >
> >
>
>
|
I created the login script, associated it with the user, logged on as the user, but then immediately got the following error: *Registry Editor* Cannot import disablePST.reg : not all data was succesfully written to the registry. Some keys are open by the system or other processes. ----------- Needless to say the desired change did not take effect. Since the user had no local admin rights, could that be the cause ? If that's what it is, I don't see how it will work for the regular domain users. "David H. Lipman" wrote in message
news:uCp$%23Pk2FHA.3912@TK2MSFTNGP15.phx.gbl...
> From: "John"
>
> | We'd like to modify the registry on multiple PCs on our Win2000 domain.
> |
> | What's the easiest way to accomplish this ? Scripting ? Third-party
software
> | to push out the .reg file and run it locally ? Group policy ? Resource
Kit
> | ?
> |
> | Any useful suggestion much appreciated.
> |
>
> Via the login script such as...
>
> regedit /s fixRegistry.reg
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
|
From: "John"
| I created the login script, associated it with the user, logged on as the
| user, but then immediately got the following error:
|
| *Registry Editor*
|
| Cannot import disablePST.reg : not all data was succesfully written to the
| registry. Some keys are open by the system or other processes.
|
| -----------
|
| Needless to say the desired change did not take effect. Since the user had
| no local admin rights, could that be the cause ? If that's what it is, I
| don't see how it will work for the regular domain users.
Have you tried...
RUNAS [/profile] [/env] [/netonly] /user: regedit /s fixRegistry.reg
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/windows_security_runas_shortcut.htm
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
I mentioned in my first reply that you may have to check if your users have sufficient access rights to make the change. If this is not the case then you can implement the change as an administrator from your own workstation, using psexec.exe (www.sysinternals.com). "John" wrote in message
news:V5U7f.25900$i31.673@trnddc08...
> I created the login script, associated it with the user, logged on as the
> user, but then immediately got the following error:
>
> *Registry Editor*
>
> Cannot import disablePST.reg : not all data was succesfully written to the
> registry. Some keys are open by the system or other processes.
>
> -----------
>
> Needless to say the desired change did not take effect. Since the user had
> no local admin rights, could that be the cause ? If that's what it is, I
> don't see how it will work for the regular domain users.
>
>
>
>
> "David H. Lipman" wrote in message
> news:uCp$%23Pk2FHA.3912@TK2MSFTNGP15.phx.gbl...
> > From: "John"
> >
> > | We'd like to modify the registry on multiple PCs on our Win2000
domain.
> > |
> > | What's the easiest way to accomplish this ? Scripting ? Third-party
> software
> > | to push out the .reg file and run it locally ? Group policy ?
Resource
> Kit
> > | ?
> > |
> > | Any useful suggestion much appreciated.
> > |
> >
> > Via the login script such as...
> >
> > regedit /s fixRegistry.reg
> >
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > http://www.ik-cs.com/got-a-virus.htm
> >
> >
>
>
|
I modified the script to use RUNAS. Now the only problem is that it prompts for the admin password in the command line window. This, of course, defeats the purpose, because the user doesn't know the admin password, and therefore the script won't run. Otherwise, the script runs fine when I provide the correct password. "David H. Lipman" wrote in message
news:OMWjKdo2FHA.892@TK2MSFTNGP10.phx.gbl...
> From: "John"
>
> | I created the login script, associated it with the user, logged on as
the
> | user, but then immediately got the following error:
> |
> | *Registry Editor*
> |
> | Cannot import disablePST.reg : not all data was succesfully written to
the
> | registry. Some keys are open by the system or other processes.
> |
> | -----------
> |
> | Needless to say the desired change did not take effect. Since the user
had
> | no local admin rights, could that be the cause ? If that's what it is,
I
> | don't see how it will work for the regular domain users.
>
> Have you tried...
>
> RUNAS [/profile] [/env] [/netonly] /user: regedit /s
fixRegistry.reg
>
>
>
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/windows_security_runas_shortcut.htm
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
|
From: "John"
| I modified the script to use RUNAS. Now the only problem is that it prompts
| for the admin password in the command line window.
|
| This, of course, defeats the purpose, because the user doesn't know the
| admin password, and therefore the script won't run.
|
| Otherwise, the script runs fine when I provide the correct password.
|
I was afraid of that !
Sorry, I am out of ideas. :-(
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
If you're prepared to violate basic security principles then you can use sanur.exe. It lets you pipe a password into the command. http://www.commandline.co.uk/sanur/ "John" wrote in message
news:7l88f.26421$i31.22850@trnddc08...
> I modified the script to use RUNAS. Now the only problem is that it
prompts
> for the admin password in the command line window.
>
> This, of course, defeats the purpose, because the user doesn't know the
> admin password, and therefore the script won't run.
>
> Otherwise, the script runs fine when I provide the correct password.
>
>
> "David H. Lipman" wrote in message
> news:OMWjKdo2FHA.892@TK2MSFTNGP10.phx.gbl...
> > From: "John"
> >
> > | I created the login script, associated it with the user, logged on as
> the
> > | user, but then immediately got the following error:
> > |
> > | *Registry Editor*
> > |
> > | Cannot import disablePST.reg : not all data was succesfully written to
> the
> > | registry. Some keys are open by the system or other processes.
> > |
> > | -----------
> > |
> > | Needless to say the desired change did not take effect. Since the user
> had
> > | no local admin rights, could that be the cause ? If that's what it is,
> I
> > | don't see how it will work for the regular domain users.
> >
> > Have you tried...
> >
> > RUNAS [/profile] [/env] [/netonly] /user: regedit /s
> fixRegistry.reg
> >
> >
> >
>
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/windows_security_runas_shortcut.htm
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > http://www.ik-cs.com/got-a-virus.htm
> >
> >
>
>
|
On Wed, 26 Oct 2005 15:34:58 GMT, "John" wrote:
>We'd like to modify the registry on multiple PCs on our Win2000 domain.
>
>What's the easiest way to accomplish this ? Scripting ? Third-party software
>to push out the .reg file and run it locally ? Group policy ? Resource Kit
>?
>
>Any useful suggestion much appreciated.
>
See tip 9808 » PolicyMaker™ Registry Extension freeware.
in the 'Tips & Tricks' at http://www.jsifaq.com
or see tip 9091 » LSRunAsE is a donationware RunAs utility with an encrypted password.
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com
|
harrykrishna.nospam@online.ie "John" wrote:
>We'd like to modify the registry on multiple PCs on our Win2000 domain.
>
>What's the easiest way to accomplish this ? Scripting ? Third-party software
>to push out the .reg file and run it locally ? Group policy ? Resource Kit
>?
>
>Any useful suggestion much appreciated.
>
An alternative to a logon script would be to place the command in a
Group Policy startup script.
Startup scripts usually have more rights to certain HKLM registry keys
as they run under the system account.
HTH
Ha®®y
HarryKrishna.nospam@online.ie
|
|
|
|