1

I have updated registry value for Software Restriction Policies/Security Levels. However, changes were not reflecting in the GUI. I have restarted the server still no effect.

below command is used to update registry value. reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\safer\codeidentifiers /v DefaultLevel /t Reg_DWORD /d 262144 /f

also executed gpupdate command.

command execution is successful. Even values were changed in registry but Software Restriction Policies/Security Levels is still set as Disallowed. It should be unrestricted after the command is executed.

Any suggestion would be greatly appreciated...

Regards, Monoj

Monoj
  • 11
  • 3

1 Answers1

1

I've tried this some time ago, and it seems that in this specific GP settings changes in the registry doesn't reflect in the console.
I guess that's because there is also a file (C:\Windows\security\database\SecEdit.sdb) that holds the settings of the "Local Security Settings", and the mmc is using it instead of the registry.

The manual values you put in the registry should work as usual, but I'd strongly suggest you use only the regular mmc.

EliadTech
  • 1,230
  • 9
  • 14
  • you meant to say....changing values in registry will work as expected even if it does not reflect in console ? We have huge of servers and considering this use of MMC may not be a feasible and a time consuming process. So I was planning to have a check for this specific registry setting and if it not set to expected than update it using script. and we can easily execute the same script against any no. of servers at a time. I hope this make sense. Pls let me know if any command or utility that can be useful in updating registry value to get desired result. – Monoj Oct 17 '14 at 09:46
  • @Monoj That's what I meant to say. But if you have several servers you can configure that with a domain GPO or Export\Import this settings from the mmc. – EliadTech Oct 17 '14 at 12:39
  • Thanks EliadTech. I will check with my Windows Admin on this front. One more thing that I observed is I have updated registry value for security Level to unrestricted(console says as Disallowed). again I tried modifying registry value for Enforcement abut It is failed mentioned "Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator." this concludes changes done to registry setting does not actual take effect as expected. – Monoj Oct 17 '14 at 13:02
  • @Monoj Well, I haven't tested all options and compared between the console and the registry, but I don't understand exactly which setting you were messing with. Enforcement menu has several options, so which one you've touched? and where have you changed the security level? have you changed both the enforcement and the security level? Please clarify. – EliadTech Oct 17 '14 at 13:38
  • At 1st I have modified reg value for Security Level to Unrestricted from command line using reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\safer\codeidentifiers /v DefaultLevel /t Reg_DWORD /d 262144 /f. This is a successful one and I have verified registry value got changed accordingly. once it is successfully executed i tried to update reg value for Enforcement to All Software files except libraries(such as DLL) using command reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\safer\codeidentifiers /v TransparentEnabled /t Reg_DWORD /d 1 /f. here I got error. – Monoj Oct 17 '14 at 16:00
  • and the error is "Windows cannot open this program because it has been prevented by a software restriction policy". that's why I mentioned changes done to registry setting does not actual take effect as expected in real. If it would have real case I should have not got that error. then I changed the security level to unrestricted in console and now I am able to update reg value for enforcement with out fail. – Monoj Oct 17 '14 at 16:05
  • Well, I can't do any testing myself at the moment, but anyway why do you insist on using the registry? Have you checked with your SysAdmin a GPO solution? that would be incredibly easier. – EliadTech Oct 20 '14 at 20:06
  • ya I got solution for it. My admin team confirmed that they can handle this using GPO. thanks for your help. – Monoj Oct 21 '14 at 09:40