This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 48%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVA%3C/text%3E%3C/svg%3E)
I have created a DSC profile which in turn creates registry.pol file under GroupPolicy directory. Then this gets executed using lgpo.exe. When I tried to apply this settings to a domain joined computer, I wanted to understand if one or more registry settings defined in the AD GPO under GPP corresponding to regsitry.pol has different values other than configured in regsitry.pol file,
Group Policies supports multiple client side extensions (GPE), each one supports different functionality, and they store their configuration data in different locations either in the Group Policy Container (AD) or the Group Policy Template (Sysvol) - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpod/351cf7ff-d4d8-4e80-b5dc-6a51a328c6c4
The register.pol is the legacy location for GPO settings, with the introduction of GPP the configuration for these settings moved to xml files in the Preferences folder in sysvol.
I don't believe there is any GPP configuration data is stored in registry.pol. You can use GPO Explorer in NetTools to view the settings that existing in the registry.pol and GPP xml files. https://nettools.net/gpo-explorer/
Thanks @Gary Reynolds
Actually, I mistakenly provided the details in a different context. Let me rephrase.
I created a DSC profile which created Registry.pol file under C:\Windows\System32\GroupPolicy\Machine folder . This gets executed by group policy client and it executes successfully. (that means, it creates all Regsitry settings in the resgistry hive).
I tested this in a stand alone VM.
Next thing, I Tested the same DSC in a domain joined machine. Now the question is, if one of the domain AD GPO has any setting defined under Administrative template that will be stored in Registry.Pol file under "sysvol" in a domain controller, would that Registry.Pol file from DC SySvol folder gets downloaded to each target machine and overwrite the registry.Pol file (if it has different setting for a control) created by local DSC engine? So let's say, if I create DSC profile that affects 50 Registry settings and is stored locally under C:\Windows\System32\GroupPolicy\Machine path, and if the AD GPO has a registry.pol file that has different values for those 50 controls,
1) The files that constitute the registry are stored in two location, the HKCU is stored in the user's profile directory, and the HKLM, Root and Config, are stored in the C:\Windows\Systems32\Config folder. The registry.pol in the C:\Windows\System32\GroupPolicy\Machine is an artefact of the GPO Engine, the policies are downloaded but they are saved in the C:\Windows\System32\GroupPolicy\DataStore folder. If you download v1.31.3 beta or later of NetTools, it has a new option in the GPO Explorer to display the contents of registry.pol files. You can use this option to view the contents of these files.
2) The default behavior of GPO Engine, is that settings are overwritten by policies based on precedence of the policies. with DSC, it will depend when these settings are applied during the boot process, if they are one off settings, then the GPO will overwrite them if they contain the same settings.
With GPO processing, the registry.pol doesn't overwrite the existing registry files, they are merged, so only the settings that are in the GPO are added to the registry. By default most GPO settings are applied to the HKLM\HKCU\Software\Polices, which is specific for GPO settings, this location is volatile and will be deleted before the GPO registry settings are applied. Settings which are out of this location are not removed, and overwrite the existing settings, these are referred to as tattoo settings. The GPO settings should be removed once the policy goes out of scope.
Gary.
Just checking if there is any update or progress on this one?
Gary.
Hi Gary, Apologeiz for delayed reply..
PART 1
I wanted to ask that if I create a DSC profile which in turn creates registry.pol file under C:\Windows\System32\GroupPolicy\Machine\, which means, all the settings applied from this registry.pol file through local group policy engine works fine.
When the same set of configurations/controls are applied from AD Sysvol folder (LET us assume that the controls are same similar to contents of Registry.pol but with a different set of values for each control), will those settings from AD SYSVOL folder gets downloaded locally to C:\Windows\System32\GroupPolicy\Machine\Registry.pol file in a target machine by merging with existing settings inside this file?
If I delete the registry.pol file and if I run gpupdate /force, will again registry.pol file gets recreated from AD?
Here's my step by step procedure, please reply..
DSC Engine creates a registry.pol file in C:\Windows\System32\GroupPolicy\Machine which was not already there. Its a fresh one on a new VM.
The settings inside the C:\Windows\System32\GroupPolicy\Machine\Registry.Pol file represents ADMINISTRATIVE TEMPLATE section and its sub section (either in local or domain policy-that does not matter)
PART 2
Then I created a new domain GPO in AD which has same(similar) set of settings defined earlier by DSC under ADMINISTRATIVE TEMPLATE section and link to the same OU where the target VM is there.
I ran GPUPDATE/FORCE and in RSOP.MSC, I see that both Local policy, created by DSC through Registry.pol and its settings are deployed and also same settings from AD GPO also get applied and based on the order of precedence, policies from AD GPO got overwritten.
Now if I delete the C:\Windows\System32\GroupPolicy\Machine\Registry.POL file locally and If I run GPUPDATE/FORCE, there is no C:\Windows\System32\GroupPolicy\Machine\Registry.POL file and only policies from AD GPO are getting applied to the target VM.
I wanted to confirm if C:\Windows\System32\GroupPolicy\Machine\Registry.Pol file will be created only through local mechanism/local GPO or also through/from AD GPO.
I hope I have explained little bit more on the situation. Awaiting your reply.
Regards
Vijayanand
In a nutshell, my whole question is related to how long a registry.pol file will get generated completely if I either delete it under the C:\windows\system32\GroupPolicy\Machine directory or rename it and run GPUPDATE /FORCE.
For example, in the attached image, I renamed Registry.POL file to "old" and ran GPUPDATE/FORCE but It did not create a fresh registry.pol file. After 8 hours, I login to the same VM and Ran GPUPDATE/Force again and this time, it created a registry.pol with 3 KB in size. The original Registry.pol file which is renamed is 126 KB in size. So obvioulsy, the newly auto created registry.pol file did not contain all of the registry settings. And I believe, even this newly created "registry.pol" file has the configurations of 3 KB in size came from SCCM Agent which also updates the Registry.POL file. So My question is that, would be there any registry.pol file with the contents directly updated from any domain controller? (and if so,
I'm struggling to find a definitive answers to your questions, I've found a number of articles that say that the registry.pol file will be created if it's deleted but haven't found the details in the specification doc on how and when. We can expect the GroupPolicy\Machine\registry.pol file to contain the settings associated to the machine based policies. One of the reasons why that the file is not being created when you run the /force update, could be that these settings are only applied when the machine is rebooted, or at at the policy refresh interval.
what would be the time period that any registry.pol gets created with all of the settings/configurations coming from Active Directory/Domain controller
Typically the machine based policies are applied when the machine is rebooted
How long will it really takes for a Group Policy client in a VM to create the registry.pol file in case if its not present there?
If the file is not created with /force, then I would expect it to get created at the next policy refresh policy interval, which is typical 90 minutes + random 0-30 minutes.
One option to confirm what settings are in the files and which policy the settings are from, you can use NetTools to do this - https://nettools.net/how-to-read-the-contents-of-registry-pol-files/
Gary.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 78%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECH%3C/text%3E%3C/svg%3E)
With Configuration Manager in the mix, there is a client action that is configured to run on a schedule, Software Update Scan Cycle, by default it runs weekly, but many customers set it to run daily, this action which can be run manually on the client from Control Panel, Configuration Manager, Actions tab will recreate the registry.pol on the client after you delete it by what ever means. I beleive this is where/how the configuration manager client is setting these local policies for WSUS scanning portion of the agent.