Disable Reg tools through GPO now cant script hkey_user
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.group_policy (More info?)
Hello, We have disabled users from using registry editing tools through our
GPO.
Now when we script changes to the hkey_user with regedit in the user logon
script it is disabled because it is ran as the user and the user is blocked
from regedit.
Is there a way to block users from using regedit but to allow user scripts
to run the way we want. Would regini be blocked as well? Are there any other
regedit tools that would work?
Hello, We have disabled users from using registry editing tools through our
GPO.
Now when we script changes to the hkey_user with regedit in the user logon
script it is disabled because it is ran as the user and the user is blocked
from regedit.
Is there a way to block users from using regedit but to allow user scripts
to run the way we want. Would regini be blocked as well? Are there any other
regedit tools that would work?
More about : disable reg tools gpo script hkey user
Archived from groups: microsoft.public.win2000.group_policy (More info?)
If you are writing to the Hkey_user key and not Hkey_current_user what about
making it a startup script rather than logon script so it will run under the
local system account.
--
James Brandt [MSFT]
"systimax" <systimax@discussions.microsoft.com> wrote in message
news:0D497095-39E7-4983-812D-9BE5AB7A8B71@microsoft.com...
> Hello, We have disabled users from using registry editing tools through
> our
> GPO.
>
> Now when we script changes to the hkey_user with regedit in the user logon
> script it is disabled because it is ran as the user and the user is
> blocked
> from regedit.
>
> Is there a way to block users from using regedit but to allow user scripts
> to run the way we want. Would regini be blocked as well? Are there any
> other
> regedit tools that would work?
>
If you are writing to the Hkey_user key and not Hkey_current_user what about
making it a startup script rather than logon script so it will run under the
local system account.
--
James Brandt [MSFT]
"systimax" <systimax@discussions.microsoft.com> wrote in message
news:0D497095-39E7-4983-812D-9BE5AB7A8B71@microsoft.com...
> Hello, We have disabled users from using registry editing tools through
> our
> GPO.
>
> Now when we script changes to the hkey_user with regedit in the user logon
> script it is disabled because it is ran as the user and the user is
> blocked
> from regedit.
>
> Is there a way to block users from using regedit but to allow user scripts
> to run the way we want. Would regini be blocked as well? Are there any
> other
> regedit tools that would work?
>
Archived from groups: microsoft.public.win2000.group_policy (More info?)
Will editing HKEY_User make changes to everyones Hkey Current user when they
log on?
Does Hley_current get changes from hley_user?
"jabrandt@online.microsoft.com" wrote:
> If you are writing to the Hkey_user key and not Hkey_current_user what about
> making it a startup script rather than logon script so it will run under the
> local system account.
>
> --
> James Brandt [MSFT]
>
>
> "systimax" <systimax@discussions.microsoft.com> wrote in message
> news:0D497095-39E7-4983-812D-9BE5AB7A8B71@microsoft.com...
> > Hello, We have disabled users from using registry editing tools through
> > our
> > GPO.
> >
> > Now when we script changes to the hkey_user with regedit in the user logon
> > script it is disabled because it is ran as the user and the user is
> > blocked
> > from regedit.
> >
> > Is there a way to block users from using regedit but to allow user scripts
> > to run the way we want. Would regini be blocked as well? Are there any
> > other
> > regedit tools that would work?
> >
>
>
>
Will editing HKEY_User make changes to everyones Hkey Current user when they
log on?
Does Hley_current get changes from hley_user?
"jabrandt@online.microsoft.com" wrote:
> If you are writing to the Hkey_user key and not Hkey_current_user what about
> making it a startup script rather than logon script so it will run under the
> local system account.
>
> --
> James Brandt [MSFT]
>
>
> "systimax" <systimax@discussions.microsoft.com> wrote in message
> news:0D497095-39E7-4983-812D-9BE5AB7A8B71@microsoft.com...
> > Hello, We have disabled users from using registry editing tools through
> > our
> > GPO.
> >
> > Now when we script changes to the hkey_user with regedit in the user logon
> > script it is disabled because it is ran as the user and the user is
> > blocked
> > from regedit.
> >
> > Is there a way to block users from using regedit but to allow user scripts
> > to run the way we want. Would regini be blocked as well? Are there any
> > other
> > regedit tools that would work?
> >
>
>
>
Archived from groups: microsoft.public.win2000.group_policy (More info?)
systimax wrote:
> Will editing HKEY_User make changes to everyones Hkey Current user
> when they log on?
>
> Does Hley_current get changes from hley_user?
No.
--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.m...
systimax wrote:
> Will editing HKEY_User make changes to everyones Hkey Current user
> when they log on?
>
> Does Hley_current get changes from hley_user?
No.
--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.m...
Related ressources
- disabling the browser service via GPO . - Forum
- Locally Stored Profile - Forum
- GPO software takes two reboots Win2k takes one. Why? - Forum
- How to chnage registry by a GPO - Forum
- GPO does not work fully - Forum
Archived from groups: microsoft.public.win2000.group_policy (More info?)
If you view the registry hkey_users will list sid's of all the user accounts
that have logged on. Where as Hkey_current_user is the current user logged
on.
The modification would need to be made on each subkey of Hkey_users
--
James Brandt [MSFT]
"Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
news:%23ukAZPHgEHA.3928@TK2MSFTNGP11.phx.gbl...
> systimax wrote:
>
>> Will editing HKEY_User make changes to everyones Hkey Current user when
>> they log on?
>>
>> Does Hley_current get changes from hley_user?
>
> No.
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.m...
If you view the registry hkey_users will list sid's of all the user accounts
that have logged on. Where as Hkey_current_user is the current user logged
on.
The modification would need to be made on each subkey of Hkey_users
--
James Brandt [MSFT]
"Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
news:%23ukAZPHgEHA.3928@TK2MSFTNGP11.phx.gbl...
> systimax wrote:
>
>> Will editing HKEY_User make changes to everyones Hkey Current user when
>> they log on?
>>
>> Does Hley_current get changes from hley_user?
>
> No.
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.m...
Archived from groups: microsoft.public.win2000.group_policy (More info?)
jabrandt@online.microsoft.com wrote:
> If you view the registry hkey_users will list sid's of all the user accounts
> that have logged on. Where as Hkey_current_user is the current user logged
> on.
> The modification would need to be made on each subkey of Hkey_users
Hi
Not for me it does.
The HKEY_USERS branch will not contain the registry data
for any other user than the current logged on one (at least
that is what I see on my computers).
--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.m...
jabrandt@online.microsoft.com wrote:
> If you view the registry hkey_users will list sid's of all the user accounts
> that have logged on. Where as Hkey_current_user is the current user logged
> on.
> The modification would need to be made on each subkey of Hkey_users
Hi
Not for me it does.
The HKEY_USERS branch will not contain the registry data
for any other user than the current logged on one (at least
that is what I see on my computers).
--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.m...
Archived from groups: microsoft.public.win2000.group_policy (More info?)
Are you the only user who has logged onto your machine?
135398 How To Write to the Windows Registry Using API Calls
http://support.microsoft.com/?id=135398
Windows NT Registry
-------------------
The Registry is a database of keys and values. The Windows NT Registry
contains four primary keys:
HKEY_CLASSES_ROOT - File associations and DDE/OLE actions.
HKEY_LOCAL_MACHINE - Global information on the state of the local
computer.
HKEY_USERS - Configuration information about each individual user
of the computer and the DEFAULT entry.
HKEY_CURRENT_USER - specific key within HKEY_USERS that stores
information for the currently active user.
--
James Brandt [MSFT]
"Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
news:e%23wMy7JgEHA.3932@TK2MSFTNGP09.phx.gbl...
> jabrandt@online.microsoft.com wrote:
>
>> If you view the registry hkey_users will list sid's of all the user
>> accounts that have logged on. Where as Hkey_current_user is the current
>> user logged on.
>> The modification would need to be made on each subkey of Hkey_users
> Hi
>
> Not for me it does.
>
> The HKEY_USERS branch will not contain the registry data
> for any other user than the current logged on one (at least
> that is what I see on my computers).
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.m...
Are you the only user who has logged onto your machine?
135398 How To Write to the Windows Registry Using API Calls
http://support.microsoft.com/?id=135398
Windows NT Registry
-------------------
The Registry is a database of keys and values. The Windows NT Registry
contains four primary keys:
HKEY_CLASSES_ROOT - File associations and DDE/OLE actions.
HKEY_LOCAL_MACHINE - Global information on the state of the local
computer.
HKEY_USERS - Configuration information about each individual user
of the computer and the DEFAULT entry.
HKEY_CURRENT_USER - specific key within HKEY_USERS that stores
information for the currently active user.
--
James Brandt [MSFT]
"Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
news:e%23wMy7JgEHA.3932@TK2MSFTNGP09.phx.gbl...
> jabrandt@online.microsoft.com wrote:
>
>> If you view the registry hkey_users will list sid's of all the user
>> accounts that have logged on. Where as Hkey_current_user is the current
>> user logged on.
>> The modification would need to be made on each subkey of Hkey_users
> Hi
>
> Not for me it does.
>
> The HKEY_USERS branch will not contain the registry data
> for any other user than the current logged on one (at least
> that is what I see on my computers).
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.m...
Archived from groups: microsoft.public.win2000.group_policy (More info?)
jabrandt@online.microsoft.com wrote:
> Are you the only user who has logged onto your machine?
Hi
No, e.g. I have logged in as the local "Administrator" user
before.
See below for an example using Reg.exe.
user2sid.exe comes from http://www.chem.msu.su/~rudnyi/NT/sid.zip
E:\sid>user2sid.exe Administrator
S-1-5-21-1397591522-2243138800-104724495-500
Number of subauthorities is 5
Domain is Y9042770-69
Length of SID in memory is 28 bytes
Type of SID is SidTypeUser
E:\sid>reg query HKU\S-1-5-21-1397591522-2243138800-104724495-500 /s
Error: The system was unable to find the specified registry key or value
E:\sid>
But this works (loading the hive file first):
E:\>reg load HKLM\TmpHive "C:\Documents and Settings\Administrator\NTUSER.DAT"
The operation completed successfully
E:\>reg query HKLM\TmpHive /s
[snip] big registry dump
--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.m...
jabrandt@online.microsoft.com wrote:
> Are you the only user who has logged onto your machine?
Hi
No, e.g. I have logged in as the local "Administrator" user
before.
See below for an example using Reg.exe.
user2sid.exe comes from http://www.chem.msu.su/~rudnyi/NT/sid.zip
E:\sid>user2sid.exe Administrator
S-1-5-21-1397591522-2243138800-104724495-500
Number of subauthorities is 5
Domain is Y9042770-69
Length of SID in memory is 28 bytes
Type of SID is SidTypeUser
E:\sid>reg query HKU\S-1-5-21-1397591522-2243138800-104724495-500 /s
Error: The system was unable to find the specified registry key or value
E:\sid>
But this works (loading the hive file first):
E:\>reg load HKLM\TmpHive "C:\Documents and Settings\Administrator\NTUSER.DAT"
The operation completed successfully
E:\>reg query HKLM\TmpHive /s
[snip] big registry dump
--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.m...
Related ressources:
- ForumDisable Exe and Other File Types from being run/viewed
- ForumVPN - GPO Problems
- ForumDisable "Allow logon to terminal server"
- ForumWhat's a "Dialer Object" & "Jump to Key" ??
- ForumDisable automatic updates in Windows XP2
- ForumDialer got in through internet and can't get to remove it...
- ForumDisable Office Assistants?
- ForumIE Script Error
- ForumPlease Help! Windows 2000 GPO Local Mess
- ForumScripts and GPOs won't run on some computers
- Forumlaptops connect at work but not at home?
- ForumMany Installations of MSSQLSERVER.
- ForumUnattended Installation
- ForumParallel and com ports not appearing in device manager
- ForumNeed Help on Difficult GPO Requirement
- More resources
!
