Import Settings GPO

[tylan]

Is there any way to import settings into a GPO? I am attemping to use the the following setting: User\Administrative Templates\System\Run Only Allowed Applications. This allows you to create a list of allowed EXEs. I have all 100+ allowed EXEs in a text file. Is there any way to import this, or do I have to do it all by hand?

 

[porkchopexpress]

You might be able to put them directly into the system.adm file or better your own custom ADM file, look for a section called DisallowAppsList. I'm just guessing as i've not done that myself but you could 'try it on a test box' it should work.

You will find it in the C:\WINDOWS\inf directory.

This FAQ will give you some info on creating a custom ADM
faq329-6116

 

[markdmac]

You will not be able to do this the way you are thinking.

I'll digress for you for a second.

Here is the code for a specific ADM file for the setting you have requested.

CLASS USER

CATEGORY !!AdministrativeServices

POLICY !!DisallowApps
		KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
		
		EXPLAIN !!DisallowApps_Help
		VALUENAME "DisallowRun"

		PART !!DisallowAppsList LISTBOX
			KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun"
			VALUEPREFIX ""
		END PART

	END POLICY
END CATEGORY  ;AdministrativeServices



[strings]
AdministrativeServices="Administrative Services (Custom)"
DisallowApps="Do Not Allow THe Following Applications to Execute"
DisallowApps_Help="Prevents Windows from running the programs you specify in this setting.\n\nIf you enable this setting, users 

cannot run programs that you add to the list of disallowed applications.\n\nThis setting only prevents users from running 

programs that are started by the Windows Explorer process. It does not prevent users from running programs, such as Task 

Manager, that are started by the system process or by other processes. Also, if you permit users to gain access to the command 

prompt, Cmd.exe, this setting does not prevent them from starting programs in the command window that they are not permitted to 

start by using Windows Explorer. Note: To create a list of disallowed applications, click Show, click Add, and then enter the 

application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe)."
DisallowApps_Tip1="   "
DisallowApps_Tip2="To create a list of disallowed applications, click Show,"
DisallowApps_Tip3="then Add, and enter the application executable name"
DisallowApps_Tip4="(e.g., Winword.exe, Poledit.exe, Powerpnt.exe)."
DisallowApps="Don't run specified Windows applications"
DisallowAp

Take a loot at that and you will see that what htis does is write to the registry to :
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun"

Please note that the LISTBOX is the only GPO setting to support multiple registry entry writes, it uses the REG_SZ. The PREFIX " " tells the policy to number the entries using the naming convention of 1, 2, 3, 4 etc.

So unfortunately there isn't a way within an Administrative template for you to do this.

Instead what you can do is create a list and put it on a share accessible to all your users for read only access. You can then write a VBScript that can read that file and write this data back to the users registry at login.

My suggestion to best optimize performance would be to start that file with a version number and check that against the registry for a corresponding value that you will right. If the version on the PC is the same as the file, then don't bother to re-import the values. If the value is less than the current version of the file, then import it.


I hope you find this post helpful.

Regards,

Mark

 

[tylan]

You have all gave me good ideas. However, I've found a simple script that gets the job done.

http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=153176&an=0&page=0#153176