Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group policy - changing the permission on a certain registry entry 1

Status
Not open for further replies.

dgcm

IS-IT--Management
Sep 26, 2008
52
GB
We have got some awful software that requires any new user to a PC to have some registry entries created in HKCU\software\policies

I've gott a VB script that will do it, but it will only write them if the user logging in has admin rights on the PC. I found somewhere in group policy where you can set the permissions on a certain registry entry, but alas when I try to add it, there isn't any option for HKCU etc.

Does anyone know a way round this - I'd be 'happy' (I guess) to use group policy to allow users access to the registry in general to solve the problem - but I can't work out how to do that using Group policy.

Any advice apreciated.
 
HKCU\software\policies is the registry entry for a "User" group policy. I'm assuming any registry entries that need to be there, would easily be deployed as a GPO that wouldn't require users to have write access to the registry.
 
I've got a VB script that would create those entries and have assigned it under the same GPO that does the users login scripts (i.e. drive mappings etc). However when a user logs in, unless they have admin rights on the machine, the script fails to run.

I considered pushing it out with the computer related policies, but didn't think it would then create those entries for the individual users.

Does that make sense ? (Basically my current setup has 'user policies' and 'computer policies'

I believe the script itself is good, as if I give the user admin rights on the machine, it runs ok and creates the entries.
 
If you can create a group policy that has those settings defined in the "User" part of the group policy you wouldn't need a script to manually setup those settings and wouldn't need the user to have admin access.
 
I'm not sure in Group policy where to define registry settings........I'll have a look though :) Thanks

I'm close to washing my hands of this and passing it onto someone else ;-)
 
You can directly edit the registry via group policy preferences, but I would try to change the built in settings first to see if they cover the settings you need.

What specific registry settings do you need to change?
 
I need to add two entries under :

HKCU\Software\Policies (the application creates these - but only for the account that installed it )

The software the company is awful ! The project lead asked the software company if it couldn't keep it's bits in HKEY_LOCAL_MACHINE instead, but they said no !



 
What specific registry settings do you need to change?
 
HKCU\Software\Policies\Titus Labs\Message Classification\DefinitionFileServerPath", "C:\\Titus\\myEmail.tl" , "REG_SZ"

"HKCU\Software\Policies\Titus Labs\Document Classification\DefinitionFileServerPath", "C:\\Titus\\myDocuments.tl" , "REG_SZ"

I'm going to see if I can get an ADM that will work, but if anyone can tell me easily what the ADM should have in it, that would be great !

Thanks :)
 
Thanks, I've already started looking at writing a custom ADM, however I haven't got the syntax quite right yet.

I shall persevere (the example on lazyadmin is a bit less daunting than others I've seen)

 
Success ! Well sort of.......

I've put this into an ADM file

CLASS User
CATEGORY "Custom registry entries"
POLICY "Titus"
KEYNAME "Software\Policies\Titus Labs\Message Classification"
VALUENAME "DefinitionFileServerPath"
VALUEON "C:\Documents and Settings\All Users\Application Data\Titus Labs\MyEmail.tl"
END POLICY
END CATEGORY

And it works ! Do you know how I would enter a second registry entry (same category and policy, but different keyname) into the same ADM ?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top