简体繁体 English

在GPO和直接注册表编辑NSIS之间进行选择

[英]Deciding between GPO and straight registry editing NSIS

原文 2015-11-05 15:40:58 7 1 windows/ windows-installer/ registry/ nsis/ gpo

I'm writing an NSIS script to upgrade an appliance between versions. 我正在编写NSIS脚本以在版本之间升级设备。 The versioning and setup have gotten away from us a bit, as we have many versions in the field, and currently no easy way to upgrade from one version to another. 由于我们在该领域有许多版本，因此版本控制和设置离我们有些距离，并且目前没有简便的方法可以从一个版本升级到另一个版本。 So the first task I have is to write something that they can run on field machines to do everything necessary to bring them to the latest version. 因此，我要做的第一件事是编写一些可以在现场计算机上运行的东西，以执行将它们升级到最新版本所需的一切。

The appliance runs on windows 7. it has 3 users. 该设备在Windows 7上运行。它有3个用户。 In the repository for the project there are 4 .msc files that contain group policies to set the appropriate settings for each of these. 在项目的存储库中，有4个.msc文件，其中包含用于为每个文件设置适当设置的组策略。 (computer, non-administrator, admin, appliance) （计算机，非管理员，管理员，设备）

Is this the right way to go? 这是正确的方法吗？ in trying to power through learning NSIS, it seems easier to write the registry keys directly to HKU /user/... rather than the extra layer of indirection from GPO, given that I'm not doing any sort of distributed system using active directory (which I know approximately nothing about), and just have 3 static users on one static physical machine. 在尝试通过学习NSIS来增强功能时，将注册表项直接写到HKU / user /似乎要容易些，而不是从GPO来的额外的间接层，因为我没有使用活动目录进行任何形式的分布式系统（我对此一无所知），并且在一台静态物理计算机上只有3个静态用户。

So concise questions: 如此简洁的问题：

Which approach makes more sense for my application? 哪种方法对我的应用更有意义？ GPO files, or direct ntuser.dat editing on the various users. GPO文件，或直接在各个用户上编辑ntuser.dat。
if GPO makes sense, how do I apply an msc file inside NSIS? 如果GPO有意义，如何在NSIS中应用msc文件？ double clicking the file works in windows, but then you have the mmc open. 双击该文件可在Windows中运行，但是随后打开了mmc。 oogly. 令人讨厌 is there a clean way to do it with NSIS? NSIS有没有一种干净的方法？
How does a GPO in the registry under HKCU translate to a system wide policy? HKCU下的注册表中的GPO如何转换为系统范围的政策？ it seems to me that what's written to the registry is missing the critical information of which users it applies to (if it applies to a user or group). 在我看来，写入注册表的内容缺少其适用于哪些用户的关键信息（如果适用于用户或组）。

Thanks in advance 提前致谢

1 个解决方案

.msc files usually contain data used by MMC and not policy data, perhaps you mean .adm template files ? .msc文件通常包含MMC使用的数据，而不包含策略数据，也许您是说.adm 模板文件？ I don't think you can really apply a .msc file programmatically. 我认为您真的不能以编程方式应用.msc文件。

Direct registry editing is probably OK if your application just reads them normally on the other end, otherwise you might need to call gpupdate . 如果您的应用程序仅在另一端正常读取它们，则直接注册表编辑可能没问题，否则，您可能需要调用gpupdate 。

If your policy is stored under Software\\Policies then entries in HKLM applies to everyone and entries in HKCU/HKU applies to that user. 如果您的策略存储在“ Software\\Policies则HKLM中的条目适用于所有人，而HKCU / HKU中的条目适用于该用户。 A normal user cannot change their policy under HKCU because they don't have write access. 普通用户无法更改其在HKCU下的策略，因为他们没有写权限。 There is not really a concept of groups when using these keys. 使用这些键时实际上没有组的概念。