Discussion:
Group Policy Extensions Processing
(too old to reply)
Michael Waterman
2003-12-22 00:43:06 UTC
Permalink
Hello,

A question about the Group Policy Client extension processing:

In Microsoft support article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;216358

It is stated that the registry entries:

Value: NoMachinePolicy
Purpose: Determines whether or not the client extension will process a
group policy when a machine policy is being applied.

Value: NoUserPolicy
Purpose: Determines whether or not the client extension will process a
group policy when a user policy is being applied.

When I apply both these values to the keys found in the registry
location:

HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{GUID}

It works for all the other client extensions except for the Component:
Registry Settings = {35378EAC-683F-11D2-A89A-00C04FBBCFA2}

I want to use this to stop the group policy processing during an
unattended installation (Auto admin login etc etc)(See my previous
post). Is there any way of doing this?

Thanks for all that respond

Regards,
Michael Waterman
Eric Voskuil
2003-12-24 00:47:27 UTC
Permalink
Michael,

The registry policy extension doesn't follow the rules of CSE registration.
Notice there is also no DllName value for this item - a requirement for
CSEs. Actually you can delete its registration altogether and it will still
process policy.

You can probably create a policy-blocking OU at the level that contains the
new PCs, as long as you don't have any enforced GPOs above it.

Regards,

Eric Voskuil
Policy Maker
http://www.autoprof.com/policy
Post by Michael Waterman
Hello,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216358
Value: NoMachinePolicy
Purpose: Determines whether or not the client extension will process a
group policy when a machine policy is being applied.
Value: NoUserPolicy
Purpose: Determines whether or not the client extension will process a
group policy when a user policy is being applied.
When I apply both these values to the keys found in the registry
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{GUID}
Registry Settings = {35378EAC-683F-11D2-A89A-00C04FBBCFA2}
I want to use this to stop the group policy processing during an
unattended installation (Auto admin login etc etc)(See my previous
post). Is there any way of doing this?
Thanks for all that respond
Regards,
Michael Waterman
Eric Voskuil
2003-12-24 05:00:35 UTC
Permalink
Michael,

After reading your previous thread, it appears that you really want to do
this at the client, but only really want to block one setting. You might
try explicitly setting the affected policy registry key to deny write access
to SYSTEM, and then restore permissions when you are done.

Regards,

Eric Voskuil
Policy Maker
http://www.autoprof.com/policy
Post by Michael Waterman
Hello,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216358
Value: NoMachinePolicy
Purpose: Determines whether or not the client extension will process a
group policy when a machine policy is being applied.
Value: NoUserPolicy
Purpose: Determines whether or not the client extension will process a
group policy when a user policy is being applied.
When I apply both these values to the keys found in the registry
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{GUID}
Registry Settings = {35378EAC-683F-11D2-A89A-00C04FBBCFA2}
I want to use this to stop the group policy processing during an
unattended installation (Auto admin login etc etc)(See my previous
post). Is there any way of doing this?
Thanks for all that respond
Regards,
Michael Waterman
Michael Waterman
2003-12-25 12:52:49 UTC
Permalink
Hi Eric,

Yes you are complete right about this subject. I want to try and do
this at the client side during the installation. After days and days
of experimenting (I now love MS Virtual PC :-) and searching the msdn
site I discovered that the following (very simple) trick works:

During the installation you can use a cmdlines.txt were you specify a
command the can alter the registry:

Just at the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Software Installation"
"NoMachinePolicy"=dword:00000001

(This blocks group policy software deployment)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
"NoMachinePolicy"=dword:00000001

This way we can stop the logonbanner and the rename of the local admin
account (This is what we use to autologon)… And it works perfectly :

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
NT\CurrentVersion\WinLogon]
"SyncForeGroundPolicy"=dword:00000001

(This is for XP only and makes sure that the policy is processed after
the Nomachinepolicy keys are removed)

When the unattended setup is finished you can remove the above keys
and force a reboot. Windows XP will process the SyncForeGroundPolicy
once more and apply the policy.

I've tested it on windows 2000 and XP and it works the same on both

Thanks for your time

Ps: Erik, your name sound very familiar. Did you ever do some business
with AtosOrigin?

Regards,
Michael Waterman
Post by Eric Voskuil
Michael,
After reading your previous thread, it appears that you really want to do
this at the client, but only really want to block one setting. You might
try explicitly setting the affected policy registry key to deny write access
to SYSTEM, and then restore permissions when you are done.
Regards,
Eric Voskuil
Policy Maker
http://www.autoprof.com/policy
Post by Michael Waterman
Hello,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216358
Value: NoMachinePolicy
Purpose: Determines whether or not the client extension will process a
group policy when a machine policy is being applied.
Value: NoUserPolicy
Purpose: Determines whether or not the client extension will process a
group policy when a user policy is being applied.
When I apply both these values to the keys found in the registry
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{GUID}
Registry Settings = {35378EAC-683F-11D2-A89A-00C04FBBCFA2}
I want to use this to stop the group policy processing during an
unattended installation (Auto admin login etc etc)(See my previous
post). Is there any way of doing this?
Thanks for all that respond
Regards,
Michael Waterman
Eric Voskuil
2003-12-26 00:14:29 UTC
Permalink
Michael,

Glad you have a solution, but I'm curious how this prevents the registry CSE
from doing what it was doing before. Is it that the machine CSE processing
occurs prior to the cmdlines.txt execution?

As for my name, I believe there is an Eric Voskuil professional basketball
player, and I've run across at least one Hollander with the same name
working in the software business. Prior to my current occupation, I spent
ten years in the US Navy flying F/A-18s - so it probably isn't me you ran
into.

Merry Christmas,

Eric Voskuil
Policy Maker
http://www.autoprof.com/policy
Post by Michael Waterman
Hi Eric,
Yes you are complete right about this subject. I want to try and do
this at the client side during the installation. After days and days
of experimenting (I now love MS Virtual PC :-) and searching the msdn
During the installation you can use a cmdlines.txt were you specify a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f
7}]
Post by Michael Waterman
@="Software Installation"
"NoMachinePolicy"=dword:00000001
(This blocks group policy software deployment)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
A}
Post by Michael Waterman
"NoMachinePolicy"=dword:00000001
This way we can stop the logonbanner and the rename of the local admin
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
NT\CurrentVersion\WinLogon]
"SyncForeGroundPolicy"=dword:00000001
(This is for XP only and makes sure that the policy is processed after
the Nomachinepolicy keys are removed)
When the unattended setup is finished you can remove the above keys
and force a reboot. Windows XP will process the SyncForeGroundPolicy
once more and apply the policy.
I've tested it on windows 2000 and XP and it works the same on both
Thanks for your time
Ps: Erik, your name sound very familiar. Did you ever do some business
with AtosOrigin?
Regards,
Michael Waterman
Post by Eric Voskuil
Michael,
After reading your previous thread, it appears that you really want to do
this at the client, but only really want to block one setting. You might
try explicitly setting the affected policy registry key to deny write access
to SYSTEM, and then restore permissions when you are done.
Regards,
Eric Voskuil
Policy Maker
http://www.autoprof.com/policy
Post by Michael Waterman
Hello,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216358
Value: NoMachinePolicy
Purpose: Determines whether or not the client extension will process a
group policy when a machine policy is being applied.
Value: NoUserPolicy
Purpose: Determines whether or not the client extension will process a
group policy when a user policy is being applied.
When I apply both these values to the keys found in the registry
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{GUID}
Registry Settings = {35378EAC-683F-11D2-A89A-00C04FBBCFA2}
I want to use this to stop the group policy processing during an
unattended installation (Auto admin login etc etc)(See my previous
post). Is there any way of doing this?
Thanks for all that respond
Regards,
Michael Waterman
Michael Waterman
2003-12-29 23:04:48 UTC
Permalink
Hi Eric,

Thanks for your response. Well it doesn't make the registry processing stop,
but it stops the rest of the group policies that can stop an
installation.... I'm just glad this works :-).... If I really need to stop
the registry based policies then I would create a secedit file and run that
with the cmdlines.txt action.

And to answer your question..... yeah I think it's a possibility that when
the machine joins a domain it gets the registry based gpo's. That would
explain why the windows update policy was already on the machine before it
had rebooted the first time...

Thanks for your time!!!

Michael
Post by Eric Voskuil
Michael,
Glad you have a solution, but I'm curious how this prevents the registry CSE
from doing what it was doing before. Is it that the machine CSE processing
occurs prior to the cmdlines.txt execution?
As for my name, I believe there is an Eric Voskuil professional basketball
player, and I've run across at least one Hollander with the same name
working in the software business. Prior to my current occupation, I spent
ten years in the US Navy flying F/A-18s - so it probably isn't me you ran
into.
Merry Christmas,
Eric Voskuil
Policy Maker
http://www.autoprof.com/policy
Post by Michael Waterman
Hi Eric,
Yes you are complete right about this subject. I want to try and do
this at the client side during the installation. After days and days
of experimenting (I now love MS Virtual PC :-) and searching the msdn
During the installation you can use a cmdlines.txt were you specify a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f
Post by Eric Voskuil
7}]
Post by Michael Waterman
@="Software Installation"
"NoMachinePolicy"=dword:00000001
(This blocks group policy software deployment)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
Post by Eric Voskuil
A}
Post by Michael Waterman
"NoMachinePolicy"=dword:00000001
This way we can stop the logonbanner and the rename of the local admin
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
NT\CurrentVersion\WinLogon]
"SyncForeGroundPolicy"=dword:00000001
(This is for XP only and makes sure that the policy is processed after
the Nomachinepolicy keys are removed)
When the unattended setup is finished you can remove the above keys
and force a reboot. Windows XP will process the SyncForeGroundPolicy
once more and apply the policy.
I've tested it on windows 2000 and XP and it works the same on both
Thanks for your time
Ps: Erik, your name sound very familiar. Did you ever do some business
with AtosOrigin?
Regards,
Michael Waterman
Post by Eric Voskuil
Michael,
After reading your previous thread, it appears that you really want to do
this at the client, but only really want to block one setting. You might
try explicitly setting the affected policy registry key to deny write
access
Post by Michael Waterman
Post by Eric Voskuil
to SYSTEM, and then restore permissions when you are done.
Regards,
Eric Voskuil
Policy Maker
http://www.autoprof.com/policy
Post by Michael Waterman
Hello,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216358
Value: NoMachinePolicy
Purpose: Determines whether or not the client extension will process a
group policy when a machine policy is being applied.
Value: NoUserPolicy
Purpose: Determines whether or not the client extension will process a
group policy when a user policy is being applied.
When I apply both these values to the keys found in the registry
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{GUID}
Registry Settings = {35378EAC-683F-11D2-A89A-00C04FBBCFA2}
I want to use this to stop the group policy processing during an
unattended installation (Auto admin login etc etc)(See my previous
post). Is there any way of doing this?
Thanks for all that respond
Regards,
Michael Waterman
Continue reading on narkive:
Loading...