Wednesday, July 1, 2009

Group Policy and the Registry

Interesting - this job really keeps you on your toes. I thought GPOs weren't applying correctly - turns out I had the wrong definition of 'correctly'. I changed this:

Policies\Administrative Templates: Policy Definitions\Windows Components\Terminal Services\Remote Desktop Connection Client\Do not allow LPT port redirection

and expected that policy to set this:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-TCP\fDisableLPT

But it didn't. It changed this:


which disagreed with the first one. Very confusing. Also, I noticed that the only GPO's not taking effect were under policies\administrative templates. But, according to page 524 of the GPO guide (which a very smart client admin friend of mine pointed me towards), all group policy registry changes are changed in only two registry paths:


And these settings are POLICIES, which take priority over PREFERENCES. Apparently, changes made by a user on a per-machine basis are considered PREFERENCES.

The sum of all this is that GPO's take effect by creating a duplicate registry value, and that is the setting that is effected onto the machine.

Additional important notes:
1. GPResult and gpotool are cool tools. Work on 2008. Come with the 2003 resource kit.
2. If you go to the local group policy object editor mmc, you will find that your GPO's are not represented there. This is because the GPOEDIT does not dig into settings to check what is currently there - rather, it's a mask that is applied to the computer. Interesting, eh?