Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Custom ADM help - change DWORD values

49 views
Skip to first unread message

jcoltrin

unread,
Sep 19, 2008, 1:11:01 PM9/19/08
to
We are going to move to a MS antivirus solution. We need to uninstall
SymantecAV first and want to do this with a script using PSTools. The
following has been tested and uninstalls SAV v10 silently w/out reboot. We
may use psexec in a script.

C:\PSTools\> psexec.exe \\computername.domain.name msiexec /qr /x
{33CFCF98-F8D6-4549-B469-6F4295676D83}

However, before the command can be run, we need to modify two values:
"LockUnloadServices"=dword:00000000
"UseVPUninstallPassword"=dword:00000000

These are located in the following key:
[HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security]
"LockUnloadServices"=dword:00000001
"UseScanNetDrivePassword"=dword:00000001
"UseVPUninstallPassword"=dword:00000001
"NetScanPassword"="1084A085DC6BD2D755D4D6A7726"
"VPUninstallPassword"="1084A085DC6BD2D755D4D6A7726"

I believe the best way to push these values across the network is to use a
GPO and attach an ADM template that will modify these values.

I am unsure how to create the template; will the following work ok?


;--------------------------------------
CLASS MACHINE
CATEGORY "Symantec AntiVirus"
POLICY "Symantec Require Uninstall Password"
KEYNAME
"MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security"
EXPLAIN "Modifies LockUnloadServices and UseVPUninstallPassword to not
require a password to uninstall Symantec anti-virus"
PART "LockUnloadServices" REG_DWORD = 0

END PART

PART "UseVPUninstallPassword" REG_DWORD = 0

END PART
END POLICY
END CATEGORY
;--------------------------------------

Many thanks for your help!
Jason

Florian Frommherz [MVP]

unread,
Sep 20, 2008, 6:00:27 AM9/20/08
to
Howdie!

jcoltrin wrote:
> However, before the command can be run, we need to modify two values:
> "LockUnloadServices"=dword:00000000
> "UseVPUninstallPassword"=dword:00000000

If you just need to modify the values once and then never again, you
could also export the two regkeys after you modified them on a machine
and import the reg file on all other machines using a computer startup
script with

regedit /s \\server\share\myreg.reg

Anyway, something like the following ADM template should also work (not
tested):

CLASS MACHINE CATEGORY "Symantec AntiVirus"
POLICY "Symantec Require Uninstall Password"
KEYNAME

"SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security"

ACTIONLISTON
VALUENAME "LockUnloadServices"
VALUE NUMERIC 0

VALUENAME "USeVPUninstallPassword"
VALUE NUMERIC 0
END ACTIONLISTON
END POLICY
END CATEGORY

(beware of the line break!)

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

jcoltrin

unread,
Sep 25, 2008, 7:26:00 PM9/25/08
to
Florian,

Thanks again for helping!

I saved the below template as an .adm file (unicode) and in order to test, I
added the template on a test machine just within gpedit.msc as an
administrator (not through a Domain GPO yet). After applying it, I now see:
Group Policy
Local Computer Policy >
Computer Configuration >
Administrative Templates >
Windows Components
Symantec AntiVirus
System
Network
Printers

When clicking on the new Symantec AntiVirus folder, the Extended Settings
displays "There are no items to show in this view."

So it looks like something happened, but when I go into the registry the two
DWORD values had not changed to 0. I tried gpupdate /force, and after a
reboot still no change in the registry.

I'd really like for Group Policy to work instead of a login script; if not
just to learn more about Group Policy.

Any other suggestions I can try?
Many Thanks,
Jason

Florian Frommherz [MVP]

unread,
Sep 26, 2008, 1:38:22 AM9/26/08
to
Howdie!

jcoltrin wrote:
> When clicking on the new Symantec AntiVirus folder, the Extended Settings
> displays "There are no items to show in this view."

That's a filtering issue. Right-click the "Symantec Antivirus"
category/folder and select View->Filtering. Then clear the two boxes
"Only show..." in the upcoming window. That should get you to the setting.

The reason why it's not shown right away is that it's a "preference",
not a true policy. Here's more:
http://www.frickelsoft.net/blog/?p=8

jcoltrin

unread,
Sep 29, 2008, 8:10:13 PM9/29/08
to
Thanks, in fact that leads me to an alternative solution I found. I instead
have installed RSAT tools and GPPreferences snap-in on Vista SP1 to modify my
GPO. It's a very nice tool set to be able to change registry settings, add
mapped drives, shortcuts and a number of other preferences. I appreciate your
responses!

swaiiinh...@discussions.microsoft.com

unread,
Nov 14, 2008, 7:03:01 PM11/14/08
to
When my hard disk crashed I had to reinstall Windows Server 2003.

When I tried to remove the closing questions to speed-up shut down, I opened
the Policy Editor and it came up, but all four settings sections show a blank
page, except for "There are no items to show in this view".

How can I get the policy editor running properly?

0 new messages