0

I have two groups of computers (regular and hardened) and two groups of users (regular and administrators) and I need to have different registry settings for each combination (mostly windows policy settings)

Using HKEY_LOCAL_MACHINE wont work, because for each machine different users need different settings.

Using HKEY_USERS wont work, because for each user, different machines need different settings.

Any ideas how to work around this?

Ophir Yoktan
  • 175
  • 2
  • 8

2 Answers2

4

Sounds like you would be able to accomplish this by just using Group Policies. If you need to change specify registry values that aren't already controlled by the group policy editor, perhaps you can simply create .reg files with values you require and apply them using logon scripts.

Lemb
  • 209
  • 1
  • 3
  • Could you explain how? as far as I know Group Policies also apply either to computers or to users - and not combinations of those. – Ophir Yoktan Mar 17 '11 at 21:27
  • 4
    They apply to both, or either, and you can link more than one policy to any OU. You can use Loopback Policy Processing to apply computer-based user settings to do this easily: http://technet.microsoft.com/en-us/library/cc757470(WS.10).aspx – TristanK Mar 17 '11 at 21:51
  • We're operating under the assumption that you have a domain controller and these users and computers are all members of this domain. By using the Group Policy Management snap-in, you'll be able to create and apply multiple Group Policies and apply them to specific OU's and Groups. Technet article on Group Policy - http://technet.microsoft.com/en-us/library/cc754948%28WS.10%29.aspx – Lemb Mar 17 '11 at 22:04
2

If you need a specific user registry setting to be applied when a user logs into a machine, then you can setup a GPO to write the registry setting based on creating it in the user portion of a GPO and assigning the security of that GPO to apply to those users.

Then create a WMI filter to filter the GPO to those users based on a WMI query that returns the fact that a computer is a member of a specific group or some other aspect of the server that would put it in the specific category of machine you are trying to enforce.

After that, apply the WMI filter to the GPO and that user based GPO will only apply to that user if the WMI filter, which pulls info from the machine, returns true.

BoxerBucks
  • 1,374
  • 1
  • 9
  • 19