A: You can change registry settings on specific servers by defining a custom administrative template (.adm file) and embedding this .adm file in a Group Policy Object (GPO). You then link the GPO to an Active Directory organizational unit that holds the servers you want to change. This method, however, is difficult.
An interesting, and easy, way to set registry settings on different machines is to use the Group Policy Preferences (GPP) extensions that Microsoft provides for Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP. Using GPPs, you can modify the registry, copy files, create mapped drives, add printers, create new user accounts, and more. More detailed information about the capabilities of GPPs is available in the Microsoft white paper "Group Policy Preferences Overview."
To configure GPP settings, use the version of Group Policy Management Console (GPMC) that's included in Server 2008 and in the Remote Server Administration Tools for Vista SP1. The GPP client-side extensions are included out of the box in Server 2008 and can be downloaded from the Microsoft website for Vista, Windows 2003, and XP.
To configure GPPs to create the SpecialGroups registry key on the Research Department's file server (as discussed in the previous Gatekeeper Q&A) and set this key to the SID value of the Server Operators group, do the following:
- Start the Microsoft Management Console (MMC) GPMC snap-in by running gpmc.msc.
- Create a new GPO—for example, on the domain level. Then right-click the newly-created GPO and select Edit. Doing so will open the Group Policy Management Editor.
- In the Computer Configuration section of the Group Policy Management Editor, open the Preferences/Windows Settings/Registry container.
- Right-click the Registry container and select New\Registry Item.
- In the New Registry Properties configuration dialog box, select Create; select the correct registry hive, enter the correct key path; and specify the value name, value type, and value data. Doing so for the SpecialGroups registry key is shown here.
- To restrict which machines the registry change will be applied to, you can "target" the GPP registry change. Select the Common tab in the New Registry Properties configuration dialog box, make sure the Item-level targeting check box is selected, and click Targeting.
- In the Targeting Editor, shown below, you can set targeting restrictions by clicking the New Item menu option. For our example, you could configure a Computer Name restriction for the research department's file server's NetBIOS name. You could also configure an OS restriction and computer role to ensure that the change is made only on member servers running Server 2008.
Creating the SpecialGroups key. Click to expand.
The Targeting Editor. Click to expand.