Disable Reg tools through GPO now cant script hkey_user

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hello, We have disabled users from using registry editing tools through our
GPO.

Now when we script changes to the hkey_user with regedit in the user logon
script it is disabled because it is ran as the user and the user is blocked
from regedit.

Is there a way to block users from using regedit but to allow user scripts
to run the way we want. Would regini be blocked as well? Are there any other
regedit tools that would work?
7 answers Last reply
More about disable tools script hkey_user
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    If you are writing to the Hkey_user key and not Hkey_current_user what about
    making it a startup script rather than logon script so it will run under the
    local system account.

    --
    James Brandt [MSFT]


    "systimax" <systimax@discussions.microsoft.com> wrote in message
    news:0D497095-39E7-4983-812D-9BE5AB7A8B71@microsoft.com...
    > Hello, We have disabled users from using registry editing tools through
    > our
    > GPO.
    >
    > Now when we script changes to the hkey_user with regedit in the user logon
    > script it is disabled because it is ran as the user and the user is
    > blocked
    > from regedit.
    >
    > Is there a way to block users from using regedit but to allow user scripts
    > to run the way we want. Would regini be blocked as well? Are there any
    > other
    > regedit tools that would work?
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Will editing HKEY_User make changes to everyones Hkey Current user when they
    log on?

    Does Hley_current get changes from hley_user?


    "jabrandt@online.microsoft.com" wrote:

    > If you are writing to the Hkey_user key and not Hkey_current_user what about
    > making it a startup script rather than logon script so it will run under the
    > local system account.
    >
    > --
    > James Brandt [MSFT]
    >
    >
    > "systimax" <systimax@discussions.microsoft.com> wrote in message
    > news:0D497095-39E7-4983-812D-9BE5AB7A8B71@microsoft.com...
    > > Hello, We have disabled users from using registry editing tools through
    > > our
    > > GPO.
    > >
    > > Now when we script changes to the hkey_user with regedit in the user logon
    > > script it is disabled because it is ran as the user and the user is
    > > blocked
    > > from regedit.
    > >
    > > Is there a way to block users from using regedit but to allow user scripts
    > > to run the way we want. Would regini be blocked as well? Are there any
    > > other
    > > regedit tools that would work?
    > >
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    systimax wrote:

    > Will editing HKEY_User make changes to everyones Hkey Current user
    > when they log on?
    >
    > Does Hley_current get changes from hley_user?

    No.


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    If you view the registry hkey_users will list sid's of all the user accounts
    that have logged on. Where as Hkey_current_user is the current user logged
    on.
    The modification would need to be made on each subkey of Hkey_users

    --
    James Brandt [MSFT]


    "Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
    news:%23ukAZPHgEHA.3928@TK2MSFTNGP11.phx.gbl...
    > systimax wrote:
    >
    >> Will editing HKEY_User make changes to everyones Hkey Current user when
    >> they log on?
    >>
    >> Does Hley_current get changes from hley_user?
    >
    > No.
    >
    >
    > --
    > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    > Administration scripting examples and an ONLINE version of
    > the 1328 page Scripting Guide:
    > http://www.microsoft.com/technet/scriptcenter/default.mspx
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    jabrandt@online.microsoft.com wrote:

    > If you view the registry hkey_users will list sid's of all the user accounts
    > that have logged on. Where as Hkey_current_user is the current user logged
    > on.
    > The modification would need to be made on each subkey of Hkey_users
    Hi

    Not for me it does.

    The HKEY_USERS branch will not contain the registry data
    for any other user than the current logged on one (at least
    that is what I see on my computers).


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Are you the only user who has logged onto your machine?

    135398 How To Write to the Windows Registry Using API Calls
    http://support.microsoft.com/?id=135398

    Windows NT Registry
    -------------------


    The Registry is a database of keys and values. The Windows NT Registry
    contains four primary keys:


    HKEY_CLASSES_ROOT - File associations and DDE/OLE actions.

    HKEY_LOCAL_MACHINE - Global information on the state of the local
    computer.

    HKEY_USERS - Configuration information about each individual user
    of the computer and the DEFAULT entry.

    HKEY_CURRENT_USER - specific key within HKEY_USERS that stores
    information for the currently active user.


    --
    James Brandt [MSFT]


    "Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
    news:e%23wMy7JgEHA.3932@TK2MSFTNGP09.phx.gbl...
    > jabrandt@online.microsoft.com wrote:
    >
    >> If you view the registry hkey_users will list sid's of all the user
    >> accounts that have logged on. Where as Hkey_current_user is the current
    >> user logged on.
    >> The modification would need to be made on each subkey of Hkey_users
    > Hi
    >
    > Not for me it does.
    >
    > The HKEY_USERS branch will not contain the registry data
    > for any other user than the current logged on one (at least
    > that is what I see on my computers).
    >
    >
    > --
    > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    > Administration scripting examples and an ONLINE version of
    > the 1328 page Scripting Guide:
    > http://www.microsoft.com/technet/scriptcenter/default.mspx
  7. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    jabrandt@online.microsoft.com wrote:

    > Are you the only user who has logged onto your machine?
    Hi

    No, e.g. I have logged in as the local "Administrator" user
    before.

    See below for an example using Reg.exe.

    user2sid.exe comes from http://www.chem.msu.su/~rudnyi/NT/sid.zip


    E:\sid>user2sid.exe Administrator

    S-1-5-21-1397591522-2243138800-104724495-500

    Number of subauthorities is 5
    Domain is Y9042770-69
    Length of SID in memory is 28 bytes
    Type of SID is SidTypeUser

    E:\sid>reg query HKU\S-1-5-21-1397591522-2243138800-104724495-500 /s

    Error: The system was unable to find the specified registry key or value

    E:\sid>


    But this works (loading the hive file first):

    E:\>reg load HKLM\TmpHive "C:\Documents and Settings\Administrator\NTUSER.DAT"

    The operation completed successfully

    E:\>reg query HKLM\TmpHive /s

    [snip] big registry dump


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
Ask a new question

Read More

Regedit Microsoft Windows