[FIXED] GPOs and NTLite
- Thread starter clarensio
- Start date
Been working on this in past few days.
I ended up adding a command to the post-setup section that runs LGPO to import my exported file.
Group Policies are pretty dumb that they dont auto update on registry changes. Thats my main gripe with just editing registry directly as then the group policy editor is out of sync.
The problem is thinking of this for ntlite automation, I cannot think of an easy way it could be implemented, as to do my export I manually toggled the policies I wanted, and its that part I am not sure could be done?
The exported file is also not xml, its binary format.
I ended up adding a command to the post-setup section that runs LGPO to import my exported file.
Group Policies are pretty dumb that they dont auto update on registry changes. Thats my main gripe with just editing registry directly as then the group policy editor is out of sync.
The problem is thinking of this for ntlite automation, I cannot think of an easy way it could be implemented, as to do my export I manually toggled the policies I wanted, and its that part I am not sure could be done?
The exported file is also not xml, its binary format.
This subject has been discussed on other threads.
Local policy files work in one direction. When loaded at startup, or by "gpupdate /force", GPO's act as templates to force reg key changes. Updating the same reg keys individually doesn't push changes back to the GPO. This is normal behavior.
Policy files are stored as binary objects similar to a registry hive. Open a policy file with a hex editor, there's reg strings inside.
The reason you need LGPO tool is simply copying the policy folder (or files) from another machine doesn't work. System32\grouppolicy\gpt.ini needs to be initialized against your system. LGPO does that work for you.
Local policy files work in one direction. When loaded at startup, or by "gpupdate /force", GPO's act as templates to force reg key changes. Updating the same reg keys individually doesn't push changes back to the GPO. This is normal behavior.
Policy files are stored as binary objects similar to a registry hive. Open a policy file with a hex editor, there's reg strings inside.
The reason you need LGPO tool is simply copying the policy folder (or files) from another machine doesn't work. System32\grouppolicy\gpt.ini needs to be initialized against your system. LGPO does that work for you.
I know its normal behaviour for how it was written, I just think its poor design. 
Inconsistent with other Windows UI, e.g. if I edit a registry setting that is also controlled in the control panel or settings app, it becomes visible, it is detected.
Having read your post here.
www.ntlite.com
I can understand the design principle a bit more now, so Group Policies is designed to act as a guardian over those registry keys hence it not accepting changes done out side of the proper tools.
Inconsistent with other Windows UI, e.g. if I edit a registry setting that is also controlled in the control panel or settings app, it becomes visible, it is detected.
Having read your post here.
Quick way to integrate Group Policy settings to NTLite?
I've previously used a program called Policy Plus to customize GPO settings. It exports a .reg file, and I'm wondering if there is any quick way to apply all these registry changes to my NTLite config? The Registry Editor window that pops up when you try to edit GPO via NTLite has an import...
www.ntlite.com
I can understand the design principle a bit more now, so Group Policies is designed to act as a guardian over those registry keys hence it not accepting changes done out side of the proper tools.
Last edited:
Group Policy Editor creates policy files, which result in corresponding GPO-based changes to the registry. While you can insert the same reg values into the registry without the Editor, none of those values are "persistent". Anything with Admin rights can change the registry again without your knowledge.
The policy exists so it can be repeatedly enforced, after every system restart or "gpupdate /force" command. It only gets pushed in one direction, from group policy to the registry. Registry-only changes don't get pushed back into a policy file.
There's no quick way to map any reg-based GPO changes, back to the original policy it matches. You need to search a website like admx.help for guidance on which policy applies, and download any missing ADMX template files as needed for the Editor.
The policy exists so it can be repeatedly enforced, after every system restart or "gpupdate /force" command. It only gets pushed in one direction, from group policy to the registry. Registry-only changes don't get pushed back into a policy file.
There's no quick way to map any reg-based GPO changes, back to the original policy it matches. You need to search a website like admx.help for guidance on which policy applies, and download any missing ADMX template files as needed for the Editor.
I expected that after you had previously said its a one way street, bit of a pizzer but thats the way it is.
Test pc is offline ONLY. Will check the tweakson a running system. Got the additional template admx packages linked on page 1 and autoit has a w10 telemetry pack with basic and advanced lockdowns so im going to check them too.
I don't know if it can help you... if I understand your point...:
thesolving.com
How to deploy a Registry Key via Group Policy | The Solving
How to deploy a Registry Key taking advantage of the Group Policies.
thesolving.com
Add each individually then export, gotcha. Good if you prefer to work in a modular fashion/share specific tweaks like Telemetry only.
Last edited:
francis11
Active Member
Haven't i already said that?