I need to add HKCU keys and values to all machines in a specific OU, for all existing user profiles and to the default profile. What's the best way to approach this?
I could enumerate and iterate through all the NTUSER.DATs, loading the hive, adding the keys, and unloading the hive, but that seems like a clunky way to do it.
Anyone have a better idea? I'd like to script this (PowerShell preferably) and push the changes if possible, but group policy logon scripts would work too.
My preferred method is to use Active Setup. What it does, is check when a user logs into a machine if they've ran a particular script or command (Such as the one you would have) and if not, execute it. So, you'll only run a particular script for a user one time on their workstation. I found this to be perfect for writing to HKCU, because you don't have to load each hive and only the accounts that people log into are modified.
Not to self promote, but I did write a blog post about doing this. The basic solution is as follows:
Add the following registry entries:
Version
is whatever version number you want to use.Stubpath
is the command that will be executed. MSI, EXE, and VBS calls all seem to be fine.@
is what should be displayed when the command is running.With this solution, the scripting language is irrelevant. You could do a VBScript, Powershell, Batch file. Whatever lets you write to HKCU as the logged in user. Using
reg.exe
directly works fine as well.The other, optional final touch you could make is load and modify the default user Hive. That would set the registry value for any new users that log on for the first time to that particular system.
You can add custom reg keys by creating a custom adm file and importing it as a template into the Administrative Templates section of a Group Policy Object. Then link that GPO to your OU. There are docs at MS about how to do this, or you can look at the adm files that already exist on the server (somewhere under Sysvol I think).
This process is called "tattooing the registry" and it means you are outside the control of group policy removal i.e. the reg entries will remain even if the policy is removed. You need to create a "reversed" reg key and deploy it (or just delete it).