How do I add/edit a registry key using group policy?

  • Thread starter Thread starter jas0n
  • Start date Start date
J

jas0n

We have a situation with regards to Acive Directory where our large
number of groups is stopping various tasks with various errors such as
'cannot complete task out of storage space'. Things like adding a domain
group or user to a workstation get this error for example.

Its been tracked down to the following registry key where ive added the
DWord 'MaxTokenSize' and a value of 100000 whereas the default is 12000.
This has solved the problems on machines it has been applied to so we
want to distribute this to all across the domain.

The "MaxPacketSize" dword already existed, its only the "MaxTokenSize" I
want to affect ... if it already exists to edit it to 100000 or create
it and set it at 100000 if it doesnt exist.

How/Can I do this with group policy?

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001
"MaxTokenSize"=dword:00100000
 
Why not just export the correct settings (as you probably done at the end of
your post) and then use the reg command to import it?
You can do this in a script that you then distribute via a GPO.

Regards,
/Jimmy
 
jas0n said:
We have a situation with regards to Acive Directory where our large
number of groups is stopping various tasks with various errors such as
'cannot complete task out of storage space'. Things like adding a domain
group or user to a workstation get this error for example.

Its been tracked down to the following registry key where ive added the
DWord 'MaxTokenSize' and a value of 100000 whereas the default is 12000.
This has solved the problems on machines it has been applied to so we
want to distribute this to all across the domain.

The "MaxPacketSize" dword already existed, its only the "MaxTokenSize" I
want to affect ... if it already exists to edit it to 100000 or create
it and set it at 100000 if it doesnt exist.

How/Can I do this with group policy?

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]

"MaxPacketSize"=dword:00000001
"MaxTokenSize"=dword:00100000
Click to expand...

Looking around a StartUp script seems to be one way of doing it, so do I
put the following into a MaxTokenSize.reg file:-

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]


"MaxTokenSize"=dword:00100000

.... and then call it from a StartUp script? Whats the syntax for calling
a reg file, I saw one mention of:-

regedit -s \\server\scripts\maxtokensize.reg

is this right?
 
Regedit /s, you can also use the reg command. reg /? for info.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


jas0n said:
jas0n said:
We have a situation with regards to Acive Directory where our large
number of groups is stopping various tasks with various errors such as
'cannot complete task out of storage space'. Things like adding a domain
group or user to a workstation get this error for example.

Its been tracked down to the following registry key where ive added the
DWord 'MaxTokenSize' and a value of 100000 whereas the default is 12000.
This has solved the problems on machines it has been applied to so we
want to distribute this to all across the domain.

The "MaxPacketSize" dword already existed, its only the "MaxTokenSize" I
want to affect ... if it already exists to edit it to 100000 or create it
and set it at 100000 if it doesnt exist.

How/Can I do this with group policy?

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001
"MaxTokenSize"=dword:00100000
Click to expand...

Looking around a StartUp script seems to be one way of doing it, so do I
put the following into a MaxTokenSize.reg file:-

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]

"MaxTokenSize"=dword:00100000

... and then call it from a StartUp script? Whats the syntax for calling a
reg file, I saw one mention of:-

regedit -s \\server\scripts\maxtokensize.reg

is this right?
Click to expand...
 
Jimmy said:
Why not just export the correct settings (as you probably done at the end of
your post) and then use the reg command to import it?
You can do this in a script that you then distribute via a GPO.

Regards,
/Jimmy
Click to expand...

yes, I exported it that way ....

a startup script seems the way as it runs with high enough security to
change the HKLM, whereas a logon script wouldnt.

would I use the command:-

reg import \\server\files\regchange.reg

if thats it, what is the startup script saved as? ive never used them,
are they .wsh files or can it just be a .bat or .cmd ?

how could I add a command so it only actions it if the key doesnt exist?
 
you can create a GPO containing the key and send it down to all pcs on the
domain.
Click edit on a policy and goto computer configuration - windows settings -
security settings and right click registry. you can then add the registry
key from your current pc.
then send this down to a test OU and if that works the domain.
 
Stephen Lawlor said:
you can create a GPO containing the key and send it down to
all pcs on the
domain.
Click edit on a policy and goto computer configuration -
windows settings -
security settings and right click registry. you can then add
the registry
key from your current pc.
then send this down to a test OU and if that works the
domain.





 > > Jimmy Andersson [MVP] wrote:
  > >> Why not just export the correct settings (as
you probably done at the end
  > >> of your post) and then use the reg command to
import it?
  > >> You can do this in a script that you then
distribute via a GPO.
  > >>
  > >> Regards,
  > >> /Jimmy
 > >
 > > yes, I exported it that way ....
 > >
 > > a startup script seems the way as it runs with high
enough security to
 > > change the HKLM, whereas a logon script wouldnt.
 > >
 > > would I use the command:-
 > >
 > > reg import \serverfilesregchange.reg
 > >
 > > if thats it, what is the startup script saved as?
ive never used them, are
 > > they .wsh files or can it just be a .bat or .cmd ?
 > >
 > > how could I add a command so it only actions it if
the key doesnt exist?
Click to expand...

Hi,

Just to add another to the mix, you can do it as a VBScript Startup
Script. I do it all the time to edit my machine registries. Then
schedule restarts with shutdown.exe command. Test first as I don’t
usually use the DWORD and may have the settings off.

Dim Path
Path =
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerbero
s\Parameters\"
set ws = WScript.CreateObject("WScript.Shell")
o=ws.RegWrite(Path & "MaxPacketSize", "00000001", "REG_DWORD")
v=ws.RegRead(Path & "MaxPacketSize")
Set WSHShell = nothing

Path =
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerbero
s\Parameters\"
set ws = WScript.CreateObject("WScript.Shell")
o=ws.RegWrite(Path & "MaxTokenSize", "00100000", "REG_DWORD")
v=ws.RegRead(Path & "MaxTokenSize")
Set WSHShell = nothing

Cheers,

Lara
 
If the users are not Admins will they be able to run the login script for
items under HKLM??

This is probably best set via machine group policies.
 
you can create a GPO containing the key and send it down to all pcs on the
domain.
Click edit on a policy and goto computer configuration - windows settings -
security settings and right click registry. you can then add the registry
key from your current pc.
then send this down to a test OU and if that works the domain.
Click to expand...

I tested this as it would be the ideal way for me but it does not appear
to create the key ...

i created a policy on my test domain on an ou, done as you said ... on
checking the test workstation i confirmed it had received the policy
with gpresult but it didnt create the key

it said security settings had been received via this method - i take it
this only allow security settings and not to create a key?
 
If the users are not Admins will they be able to run the login script
for items under HKLM??
Click to expand...

I do it in STARTUP scripts, no logon scripts. Therefore all the
permissions needed are SYSTEM=Full Control which is the standard
default permission as startup scripts run under the machine account
not the user account.

Cheers,

Lara
 
Back
Top