The ability to remotely perform registry updates on multiple computers is useful in all sorts of situations. When something in the registry configuration compromises security, quickly performing registry updates is an important security measure. Remotely updating multiple computers' registries is also helpful when you need to apply a custom OS change to a set of systems or apply an additional registry entry so that software operates properly. Whatever the reason, performing registry updates centrally is crucial in midsized to large networks.
The Microsoft Resource Kit Group recently asked me to write a series of scripts for the "Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part II," which you can download from http://www.microsoft.com/downloads/details.aspx?familyid=c0dbeb7e-d476-4498-9f6c-24974fb81f1e&displaylang=en. One of the scripts that I wrote, ApplyReg.vbs, remotely updates the registries of multiple computers. Although you can use the Reg utility with the Add parameter to perform remote registry updates, Reg works for only a limited set of registry keys. In contrast, ApplyReg.vbs doesn't impose any key limits. The script performs registry updates against a list of computers that you provide, then it creates a report that notes whether each computer's set of registry updates was successful.
ApplyReg.vbs relies on several technologies: Active Directory (AD), Active Directory Service Interfaces (ADSI), Windows Management Instrumentation (WMI), Windows Script Host (WSH) 5.6, and VBScript. (If you want to use a Perl script to apply registry updates, see "Checking Remote Registries," May 2002, http://www.winnetmag.com, InstantDoc ID 24540, for information about using Perl to work with the registry.) Let's look at how to prepare for ApplyReg.vbs (including how to test the script), how to run the script in production, and how the script works.
Preparing to Use the Script
Microsoft's registry mantra goes something like this: "Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back it up first." If you didn't recognize the importance of this message before, believe it now. ApplyReg.vbs is capable of editing—and damaging—the registry on thousands of computers in minutes.
In keeping with Microsoft's registry warning, before you use ApplyReg.vbs in a production network, you need to test and retest the script in a lab. The test systems should accurately represent the production computers targeted for the registry update.
ApplyReg.vbs relies on AD to determine the host name or NetBIOS name of the computers in which it will apply the registry update. Therefore, make sure that all test computers, including the computer that will run ApplyReg.vbs, are members of an AD domain. After you configure the test systems, you need to either download or create several files:
- You need to download ApplyReg.vbs from the Windows & .NET Magazine Web site at http://www.winnetmag.com. (Enter 40714 in the InstantDoc ID text box, click the Download the Code link, and download the 40714.zip file.)
- You need to create a registry (.reg) file that contains the registry updates you want to apply. I've included a sample registry file named AAA123Test!!!.reg, which is in the 40714.zip file. You can use this sample file to take ApplyReg.vbs for a test run. This registry file, however, is only a sample file. Don't apply it to computers in a production network. If you're unfamiliar with the format of a registry file, see the sidebar "The Registry File Format" and review the contents of AAA123Test!!!.reg.
- You need to create a text (.txt) file that contains a list of computers to update. In this input file, list the target computers by their distinguished names (DNs). Place each DN on a separate line, enclose each DN in quotation marks, and append a comma after the ending quotation mark. Do not include blank lines. At the top of the input file, enter a column heading, such as Distinguished Name. Figure 1 shows an example of a valid list. Adding the column heading and adding the trailing commas are important; otherwise, ApplyReg.vbs might not work correctly.
An alternative to manually creating the input file is to use the script ComputerSearch.vbs to programmatically generate a valid list for ApplyReg.vbs to read. The "Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part II" download includes ComputerSearch.vbs. The guide's "Identifying Computers to Receive New Registry Settings with ComputerSearch.vbs" section describes how to create and run ComputerSearch.vbs. ComputerSearch.vbs will generate a properly formatted input file that contains the DNs of the computers in your domain.