Disable Reg tools through GPO now cant script hkey_user

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hello, We have disabled users from using registry editing tools through our
GPO.

Now when we script changes to the hkey_user with regedit in the user logon
script it is disabled because it is ran as the user and the user is blocked
from regedit.

Is there a way to block users from using regedit but to allow user scripts
to run the way we want. Would regini be blocked as well? Are there any other
regedit tools that would work?

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

If you are writing to the Hkey_user key and not Hkey_current_user what about
making it a startup script rather than logon script so it will run under the
local system account.

--
James Brandt [MSFT]


"systimax" <systimax@discussions.microsoft.com> wrote in message
news:0D497095-39E7-4983-812D-9BE5AB7A8B71@microsoft.com...
> Hello, We have disabled users from using registry editing tools through
> our
> GPO.
>
> Now when we script changes to the hkey_user with regedit in the user logon
> script it is disabled because it is ran as the user and the user is
> blocked
> from regedit.
>
> Is there a way to block users from using regedit but to allow user scripts
> to run the way we want. Would regini be blocked as well? Are there any
> other
> regedit tools that would work?
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Will editing HKEY_User make changes to everyones Hkey Current user when they
log on?

Does Hley_current get changes from hley_user?




"jabrandt@online.microsoft.com" wrote:

> If you are writing to the Hkey_user key and not Hkey_current_user what about
> making it a startup script rather than logon script so it will run under the
> local system account.
>
> --
> James Brandt [MSFT]
>
>
> "systimax" <systimax@discussions.microsoft.com> wrote in message
> news:0D497095-39E7-4983-812D-9BE5AB7A8B71@microsoft.com...
> > Hello, We have disabled users from using registry editing tools through
> > our
> > GPO.
> >
> > Now when we script changes to the hkey_user with regedit in the user logon
> > script it is disabled because it is ran as the user and the user is
> > blocked
> > from regedit.
> >
> > Is there a way to block users from using regedit but to allow user scripts
> > to run the way we want. Would regini be blocked as well? Are there any
> > other
> > regedit tools that would work?
> >
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

systimax wrote:

> Will editing HKEY_User make changes to everyones Hkey Current user
> when they log on?
>
> Does Hley_current get changes from hley_user?

No.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

If you view the registry hkey_users will list sid's of all the user accounts
that have logged on. Where as Hkey_current_user is the current user logged
on.
The modification would need to be made on each subkey of Hkey_users

--
James Brandt [MSFT]


"Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
news:%23ukAZPHgEHA.3928@TK2MSFTNGP11.phx.gbl...
> systimax wrote:
>
>> Will editing HKEY_User make changes to everyones Hkey Current user when
>> they log on?
>>
>> Does Hley_current get changes from hley_user?
>
> No.
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

jabrandt@online.microsoft.com wrote:

> If you view the registry hkey_users will list sid's of all the user accounts
> that have logged on. Where as Hkey_current_user is the current user logged
> on.
> The modification would need to be made on each subkey of Hkey_users
Hi

Not for me it does.

The HKEY_USERS branch will not contain the registry data
for any other user than the current logged on one (at least
that is what I see on my computers).


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Are you the only user who has logged onto your machine?

135398 How To Write to the Windows Registry Using API Calls
http://support.microsoft.com/?id=135398

Windows NT Registry
-------------------



The Registry is a database of keys and values. The Windows NT Registry
contains four primary keys:



HKEY_CLASSES_ROOT - File associations and DDE/OLE actions.

HKEY_LOCAL_MACHINE - Global information on the state of the local
computer.

HKEY_USERS - Configuration information about each individual user
of the computer and the DEFAULT entry.

HKEY_CURRENT_USER - specific key within HKEY_USERS that stores
information for the currently active user.


--
James Brandt [MSFT]


"Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
news:e%23wMy7JgEHA.3932@TK2MSFTNGP09.phx.gbl...
> jabrandt@online.microsoft.com wrote:
>
>> If you view the registry hkey_users will list sid's of all the user
>> accounts that have logged on. Where as Hkey_current_user is the current
>> user logged on.
>> The modification would need to be made on each subkey of Hkey_users
> Hi
>
> Not for me it does.
>
> The HKEY_USERS branch will not contain the registry data
> for any other user than the current logged on one (at least
> that is what I see on my computers).
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

jabrandt@online.microsoft.com wrote:

> Are you the only user who has logged onto your machine?
Hi

No, e.g. I have logged in as the local "Administrator" user
before.

See below for an example using Reg.exe.

user2sid.exe comes from http://www.chem.msu.su/~rudnyi/NT/sid.zip


E:\sid>user2sid.exe Administrator

S-1-5-21-1397591522-2243138800-104724495-500

Number of subauthorities is 5
Domain is Y9042770-69
Length of SID in memory is 28 bytes
Type of SID is SidTypeUser

E:\sid>reg query HKU\S-1-5-21-1397591522-2243138800-104724495-500 /s

Error: The system was unable to find the specified registry key or value

E:\sid>



But this works (loading the hive file first):

E:\>reg load HKLM\TmpHive "C:\Documents and Settings\Administrator\NTUSER.DAT"

The operation completed successfully

E:\>reg query HKLM\TmpHive /s

[snip] big registry dump



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx