The said:
Hi,
What technique could I use to deploy a Reg key called 'MyCompany' to all
computers in a specific OU? I also want to control the permission set on
this key to only allow specific Security Groups to have full control.
I'm currently running an AD environment on a Windows 2000, SP3 Server, all
my workstations are Windows 2000 Professional systems running SP3.
Hi,
You can use "pure" Group Policy to push out your own registry
settings (see further down).
But I think would have done it in computer startup script (set with a
GPO).
Computer startup script runs as part of the boot up process
(before the user logs in) and it runs under the system context
and has administrator rights.
SubInACL.exe can be used to set the permissions, a new, bug-fixed
version of SubInACL.exe is available for download here
(Win2k/WinXP/Win2k3):
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b
Then there is a free 3rd party utility that you can use for this:
SETACL (freeware) at
http://setacl.sourceforge.net/
SetACL can set permissions on:
Local or remote directories
Local or remote files
Local or remote printers
Local or remote registry keys
Local or remote Win32 services
Local or remote network shares
Alternatively:
You can push out that registry value with a GPO using a
custom administrative template ("tattooing" the registry on
the clients)...
HOW TO: Create Custom Administrative Templates in Windows 2000
http://support.microsoft.com/?kbid=323639
225087 Writing Custom ADM Files for System Policy Editor
http://support.microsoft.com/?kbid=225087
Implementing Registry-Based Group Policy
go.microsoft.com/fwlink/?LinkId=28188
Implementing Registry-based Policy [Group Policy]
http://msdn.microsoft.com/library/en-us/policy/policy/implementing_registry_based_policy.asp