Windows - Setting local group policies

ewaldbervoets · August 20, 2024, 7:28am

Hi all, windows sys admin noob here so apologies if this is a really dumb question!

I’m trying to configure/restrict a non-admin Windows user using Ansible. Since local group policies in Windows are just registry keys, I tried using the win_regedit module to set registry keys in HKCU. I haven’t had success doing this and keep getting “Access Denied” (which makes sense to me because the user should not be able to edit these registry keys himself).

How would I best restrict a non-admin Windows user so that I can, for example, disable the control panel for that user?

I know the right path to the registry:

HKCU:\Software\Policies\Microsoft\Internet Explorer\Control Panel

but I haven’t found a way to make it work.

Has anyone done something like this that can point me in the right direction?

ewaldbervoets · August 22, 2024, 12:03pm

Ended up being able to do it with win_powershell module like this:

      $userProfile = "C:\Users\{{ user }}"
      $regHive = "HKU\TempHive"
      $regPath = "$regHive\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
      reg load $regHive "$userProfile\NTUSER.DAT" | Out-Null
      REG ADD $regPath /v NoControlPanel /t REG_DWORD /d 1 /f
      reg unload $regHive | Out-Null

jborean · August 22, 2024, 7:11pm

Just an FYI the win_regedit module has a hive option that can load the hive in that task allowing you to set whatever you need in the loaded hive.

ewaldbervoets · August 23, 2024, 7:42am

I tried it like this but without success:

  win_regedit:
    hive: 'C:\Users\{{ user }}\NTUSER.DAT'
    path: 'HKCU:\Software\Policies\Microsoft\Internet Explorer\Control Panel'
    name: 'NoControlPanel'
    data: 1
    type: dword

Should that have worked? Also tried setting it with the become, but kept getting Access Denied errors (which made sense to me since the user should not be able to change group policy this registry key)

jborean · August 25, 2024, 8:22pm

The hive is loaded under HKLM:\ANSIBLE as per the documentation for hive [1]

This hive is loaded under the HKLM:\ANSIBLE key which can then be used in name like any other path.

This means that your path would look like path: HKLM:\ANSIBLE\Software\Policies\Microsoft\Internet Explorer\Control Panel.

[1] ansible.windows.win_regedit module – Add, change, or remove registry keys and values — Ansible Community Documentation

ewaldbervoets · August 29, 2024, 10:58am

unfortunately, this didn’t work for me:

  win_regedit:
    hive: 'C:\Users\{{ user }}\NTUSER.DAT'
    path: 'HKLM:\ANSIBLE\Software\Policies\Microsoft\Internet Explorer\Control Panel'
    name: "NoControlPanel"
    data: 1
    type: dword

I think it’s because the key should be present in HKCU and not HKLM. But thanks for the help, not sure what I’m missing here to get this to work

jborean · August 29, 2024, 6:43pm

The hive specified by hive is loaded into HKLM:\ANSIBLE so any changed under there will edit that hive. It’s the same as your reg load example except that you chose to load it under HKU:\TempHive. The HKCU key is just a helper shortcut that refers to the current user’s hive, so by editing C:\Users\foo\NTUSER.DAT you’ll be editing HKCU for the foo user when they log in again.