Using GPOs to Set Custom Registry Entries (great for Virtual Desktops) Example: Disabling the Machine Password Changes

Posted by Ron Oglesby on May 17, 2011

I have been on a bit of a crusade lately against registry hacks in Virtual Desktop “gold images”. My problem with reg hacks are documented pretty well here, so let’s not rehash them.  Instead I wanted to show a quick and easy way to add “custom” registry changes using Windows 2008 Group Policy Preferences.

A Group Policy Preference is managed and set in the Group Policy Object. Lots of info on it can be found at Microsoft here. The key thing to know is that preferences offer a simple way to add or modify registry entries without creating custom ADM/ADMXs as you would have to with a typical policy.

The first step is to fire up the group policy management console and edit or create a new policy that will apply to the targeted desktops:

Group Policy Management

Next browse to the Computer Configuration (assuming this is an HKEY LOCAL MACHINE entry) Preferences, Windows Settings, Registry. Right click and select new registry item.

Group Policy Management Editor

Now you can edit / add the key you want to change. Here I will use the settings to Disable Machine Account Password changes (often used in Non-persistent desktop environments). I use the Key Path browse button to find the entry.

Registry Item Browser

I then set it to the desired value (in this case a dword value of 00000001) to disable password changes and I ensure the action is set to “Update” as this key exists on all Windows systems.

New Registry Properties

One thing you should take note of is the Action type at the top of the screen. This dictates what happens when the preference is applied:

  • Create
    • Create the object (reg entry, drive mapping, etc, etc)
    • Will do nothing if the entry/object already exists
  • Replace
    • Delete existing setting (if exist) and create a new object
  • Update
    • Modification of an existing object/registry entry (Used in this example)
    • Will create the object/entry if it does not exist
  • Delete the entry

And that’s it! You can use this to simply (and I mean VERY VERY SIMPLY) add or modify registry entries on your VDI desktops. Apply the policy to the machines and at the very latest, they will be applied at the next reboot.

If you wish to test the policy application, simply log in to the desktop, then run a CMD prompt as administrator and force the policy to update by running GPUPDATE /FORCE. This will apply the GPO right then and you can check to see if your new registry entries have made it to the targeted machine.

Posted by Ron Oglesby on May 17, 2011

Request a Unidesk Impact