Extra Registry Settings in a GPO

Kurt Buff, GSEC/GCIH/PCIP

unread,

Feb 12, 2021, 1:30:50 PM2/12/21

to ntpowe...@googlegroups.com

All,

We have a GPO called CorpLock, and among other things it has an extra registry setting that disables IPv6:

I intended to get the setting before trying to delete it (and replace it with a preference for IPv4, because that's what I can get away with), and I'm glad I did, because that's getting an error. I am using my DA account, and an elevated PowerShell session.

Am I missing something, or is there a better way to do this?

get-gpregistryvalue -server dc0 -name "CorpLock" -key "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents"

get-gpregistryvalue : The following Group Policy registry setting was not found:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents".
Parameter name: keyPath
At line:1 char:1
+ get-gpregistryvalue -server dc0 -name "CorpLock" -key "HK ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Microsoft.Group...tryValueCommand:GetGPRegistryValueCommand) [Get-GPRegistryValue], ArgumentException
+ FullyQualifiedErrorId : UnableToRetrievePolicyRegistryItem,Microsoft.GroupPolicy.Commands.GetGPRegistryValueCommand

Thanks,

Kurt

Kurt Buff, GSEC/GCIH/PCIP

unread,

Feb 12, 2021, 2:05:16 PM2/12/21

to ntpowe...@googlegroups.com

Figured it out - it wanted just the key, and not the full specification of the parameter.

get-gpregistryvalue -server dc0 -name "CorpLock -key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters"

KeyPath : SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
FullKeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
Hive : LocalMachine
PolicyState : Set
Value : -1
Type : DWord
ValueName : DisabledComponents
HasValue : True

Michael B. Smith

unread,

Feb 12, 2021, 2:11:53 PM2/12/21

to ntpowe...@googlegroups.com

Why not just use Get-ItemPropertyValue?

I guess I’m missing something.

From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com> On Behalf Of Kurt Buff, GSEC/GCIH/PCIP
Sent: Friday, February 12, 2021 2:05 PM
To: ntpowe...@googlegroups.com
Subject: [ntpowershell] Re: Extra Registry Settings in a GPO

Figured it out - it wanted just the key, and not the full specification of the parameter.

get-gpregistryvalue -server dc0 -name "CorpLock -key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters"

KeyPath : SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
FullKeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
Hive : LocalMachine
PolicyState : Set
Value : -1
Type : DWord
ValueName : DisabledComponents
HasValue : True

On Fri, Feb 12, 2021 at 11:30 AM Kurt Buff, GSEC/GCIH/PCIP <kurt...@gmail.com> wrote:

All,

We have a GPO called CorpLock, and among other things it has an extra registry setting that disables IPv6:

I intended to get the setting before trying to delete it (and replace it with a preference for IPv4, because that's what I can get away with), and I'm glad I did, because that's getting an error. I am using my DA account, and an elevated PowerShell session.

Am I missing something, or is there a better way to do this?

get-gpregistryvalue -server dc0 -name "CorpLock" -key "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents"

get-gpregistryvalue : The following Group Policy registry setting was not found:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents".
Parameter name: keyPath
At line:1 char:1
+ get-gpregistryvalue -server dc0 -name "CorpLock" -key "HK ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Microsoft.Group...tryValueCommand:GetGPRegistryValueCommand) [Get-GPRegistryValue], ArgumentException
+ FullyQualifiedErrorId : UnableToRetrievePolicyRegistryItem,Microsoft.GroupPolicy.Commands.GetGPRegistryValueCommand

Thanks,

Kurt

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce4_dEorJDUTwiA00rJxvGDSxi-tOooVnaJx354hiVnL3A%40mail.gmail.com.

Kurt Buff, GSEC/GCIH/PCIP

unread,

Feb 12, 2021, 2:48:37 PM2/12/21

to ntpowe...@googlegroups.com

Because I didn't know it would work on GPOs in Sysvol?

Would I be able to edit the GPO to remove that as well?

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/6d2fe938115a400faa8361a91b316339%40smithcons.com.

Michael B. Smith

unread,

Feb 12, 2021, 3:07:34 PM2/12/21

to ntpowe...@googlegroups.com

First

get-gpregistryvalue -server dc0 -name "CorpLock" -key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" -valuename DisabledComponents

Second, now I see what I missed… you were only interested in what the GPO says, not what the actual registry says.

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Microsoft.Group...tryValueCommand:GetGPRegistryValueCommand) [Get-GPRegistryValue], ArgumentException
+ FullyQualifiedErrorId : UnableToRetrievePolicyRegistryItem,Microsoft.GroupPolicy.Commands.GetGPRegistryValueCommand

Thanks,

Kurt

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce4_dEorJDUTwiA00rJxvGDSxi-tOooVnaJx354hiVnL3A%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/6d2fe938115a400faa8361a91b316339%40smithcons.com.

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce6Wx%3D4DYxZ9W6WG2JLHN%2ByutOPjm_5CxFCC1qTzX_SFog%40mail.gmail.com.

Kurt Buff, GSEC/GCIH/PCIP

unread,

Feb 12, 2021, 3:28:29 PM2/12/21

to ntpowe...@googlegroups.com

Got it.

If you know the answer: Would either editing the regentry in the GPO or deleting the entry and recreating it as needed change it into a Preference?

If neither of those would make that conversion, I'm thinking of using remove-gpregistryvalue and manually recreating it as a Preference item.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/e34882634f164495a38425fbec772851%40smithcons.com.

Michael B. Smith

unread,

Feb 12, 2021, 4:06:21 PM2/12/21

to ntpowe...@googlegroups.com

No, I don’t think it would convert it. I think you have to recreate it.

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Microsoft.Group...tryValueCommand:GetGPRegistryValueCommand) [Get-GPRegistryValue], ArgumentException
+ FullyQualifiedErrorId : UnableToRetrievePolicyRegistryItem,Microsoft.GroupPolicy.Commands.GetGPRegistryValueCommand

Thanks,

Kurt

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce4_dEorJDUTwiA00rJxvGDSxi-tOooVnaJx354hiVnL3A%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/6d2fe938115a400faa8361a91b316339%40smithcons.com.

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce6Wx%3D4DYxZ9W6WG2JLHN%2ByutOPjm_5CxFCC1qTzX_SFog%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/e34882634f164495a38425fbec772851%40smithcons.com.

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce7Vh%3DNCFO_DmakAZu0ZKYyFeh8Ar2s381K-auFg3L7y_Q%40mail.gmail.com.

Markus Klocker

unread,

Feb 15, 2021, 1:08:13 AM2/15/21

to ntpowe...@googlegroups.com

Why not make a new GPO which deletes the old value as preference (if necessary) and creates the needed value?
If you just want to replace it make the new GPO with replace and delete the old one.

Or didn't I get that right?
Markus

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce7Vh%3DNCFO_DmakAZu0ZKYyFeh8Ar2s381K-auFg3L7y_Q%40mail.gmail.com.

Kurt Buff, GSEC/GCIH/PCIP

unread,

Feb 15, 2021, 12:35:19 PM2/15/21

to ntpowe...@googlegroups.com

Because it's in the Default Domain Policy, and I'd prefer not to delete and recreate that.

I'm slowly whittling the DDP down to bare bones, and transferring the settings that need to be kept to separate GPOs.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/243fca28-5ac8-50de-149c-164b90e36979%40univie.ac.at.

Kurt Buff, GSEC/GCIH/PCIP

unread,

Feb 15, 2021, 2:01:12 PM2/15/21

to ntpowe...@googlegroups.com

My apologies. I'm dealing with too many GPO problems.

The problematic GPO in this case isn't the DDP, it's the CorpLock one, as I originally stated in this thread.

This is a huge GPO with lots of settings jammed into it, and I'm taking the same approach to it that I'm taking with the DDP - whittle it down a little at a time. For this GPO, however, I'm going to eventually kill it. It seems to have a lot of overlap with the GPOs that another of my predecessors set up for CIS compliance.

Kurt

On Sun, Feb 14, 2021 at 11:08 PM Markus Klocker <markus....@univie.ac.at> wrote:

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/243fca28-5ac8-50de-149c-164b90e36979%40univie.ac.at.

Reply all

Reply to author

Forward