I want to change the group policy setting that applies the value of the Windows Update WSUS server location HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer
and HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer
.
Changing them directly in the registry will not overwrite what has been set in the group policy, so I would like to know, what commands can I use to change the group policy input of these values instead?
Answer
Mark Russinovich has an excellent article on circumventing Group Policy changes.
Group policy settings are an integral part of any Windows-based IT environment. If you’re a network administrator you use them to enforce corporate security and desktop management policy, and if you’re a user you’ve almost certainly been frustrated by the limitations imposed by those policies. Regardless of which you are, you should be aware that if the users in your network belong to the local administrator’s group they can get around policies any time they want.
There are two steps to circumventing a group policy setting: identifying the setting’s location and preventing the setting from being applied. There are many group policy references available, but since machine group policy settings store in the HKEY_LOCAL_MACHINE branch of the Registry and per-user group policy settings store in HKEY_CURRENT_USER, if you don’t know the location of the setting that’s preventing you from doing something you want you can use Regmon to find it.
The number of desktop lockdown settings available to group policy administrators is enormous. They can prevent you from doing anything from changing your desktop appearance and start menu to running certain applications. Two commonly applied settings include a pre-configured screen saver program so that users don’t waste resources on frivolous screen savers, and a screen saver timeout so that systems aren’t left indefinitely accessible when a user steps away. When these settings are in effect Windows omits the screen saver tab of display properties control panel applet or doesn’t let you modify the screen saver or its timeout. I’m going to show you how to use the power of being a local administrator and Regmon to track down these settings and override them on your own system.
While it goes into the Registry Monitor, Process Monitor also exists these days which combines several monitoring tools into one. It allows you to find the registry keys that are being modified. Just jump to the relevant registry keys and change their permissions such that they can't be updated anymore...
Check out what you can do with the reg
command; you can verify access with accesschk
.
No comments:
Post a Comment