Tough Questions Answered: How to add multiple values to a GPO with a listbox.
Published Mar 20 2019 12:01 AM 4,744 Views

Recently I have received a support request from a Customer that need to add multiple value to a GPO. Lets dive into the details.

 

ENVIRONMENT

The customer installed a new third party application is his client environment (Windows 10), this application require a specific GPO to be set on all Clients. The vendor of the application gave to the customer a Custom ADMX Template to permit to set this GPO on all clients. The Customer have all DC 2008R2 and the Policy Central Store Enabled.

 

THE PROBLEM

The Customer installed the Custom ADMX Template, but when he try to configure the GPO from the GPMC console, he would see this window from the settings:

Window.png

The problem here, is that he need to add more than 700 urls in this setting, and from this window the user can add one url at time. (A HUGE work of Copy and Paste!)

 

SOLUTION

I have reproduced the customer situation in my Lab with the following steps:

 

  1. I have created a ListBoxGPO in my lab to do some tests:
    GPMC.png

  2. I have used a similar policy, the "Intranet Zone Restricted Protocols" that have the same type of Window (a ListBox):
    Window2.png
    You can find the details of this policy here.

  3. Then I have used the LGPO tool to read from the Registry.pol of the GPO where this settings are stored in the registry:
    =======================================================
    LGPO.exe /parse /m "\\lab.com\SYSVOL\lab.com\Policies\{719264A1-F33B-485C-828F-4B00589272B5}\Machine\Registry.pol"
    ; ----------------------------------------------------------------------
    ; PARSING Computer POLICY
    ; Source file:  \\lab.com\SYSVOL\lab.com\Policies\{719264A1-F33B-485C-828F-4B00589272B5}\Machine\Registry.pol
    Computer
    SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols
    ListBox_Support_1
    DWORD:1
    Computer
    SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1 <= This is the Registry Key used by the ListBox
    itopstalk.com  <= This is the name of the Value
    SZ:itopstalk.com  <= Those are the Type of the value (SZ = String), and Value.
    ; PARSING COMPLETED.
    ; ----------------------------------------------------------------------
    =======================================================
    This is the view from the RegEdit from the client:
    regedit.jpg

  4. So now, how can I add more than 700 Url in this GPO?
    The solution is simple but not really common. Starting from 2008R2 ADDS introduce a PowerShell module for managing GPO called "GroupPolicy". In this module there is a cmdlet called Set-GPRegistryValue this type of policy can configure registry-based Policy.
    With the settings collected from the LGPO I'm able to use this cmdlet to set the 700 Urls:
    =====================================================
    #Read Urls from a file on disk.
    $Urls = get-Content .\Urls.txt

    #Build a loop to add all the Urls to the specified CPO.
    foreach ($Url in $Urls)
    {
        Set-GPRegistryValue -Name ListBoxGPO -ValueName $Url -Type String -Value $Url -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1"    
    }
    =====================================================

  5. Verify correct execution of the script by editing the GPO from the GPMC and check the content of the Listbox:
    Window3.png

  6. Verify if the registry key of the client, have the correct registry value applied by the GPO:regedit2.jpg

  7. Mission Complete! :)

 

3 Comments
Version history
Last update:
‎Mar 20 2019 05:09 AM
Updated by: