Group policy - changing the permission on a certain registry entry 1

[dgcm]

We have got some awful software that requires any new user to a PC to have some registry entries created in HKCU\software\policies

I've gott a VB script that will do it, but it will only write them if the user logging in has admin rights on the PC. I found somewhere in group policy where you can set the permissions on a certain registry entry, but alas when I try to add it, there isn't any option for HKCU etc.

Does anyone know a way round this - I'd be 'happy' (I guess) to use group policy to allow users access to the registry in general to solve the problem - but I can't work out how to do that using Group policy.

Any advice apreciated.

 

[baddos]

HKCU\software\policies is the registry entry for a "User" group policy. I'm assuming any registry entries that need to be there, would easily be deployed as a GPO that wouldn't require users to have write access to the registry.

 

[dgcm]

I've got a VB script that would create those entries and have assigned it under the same GPO that does the users login scripts (i.e. drive mappings etc). However when a user logs in, unless they have admin rights on the machine, the script fails to run.

I considered pushing it out with the computer related policies, but didn't think it would then create those entries for the individual users.

Does that make sense ? (Basically my current setup has 'user policies' and 'computer policies'

I believe the script itself is good, as if I give the user admin rights on the machine, it runs ok and creates the entries.

 

[baddos]

If you can create a group policy that has those settings defined in the "User" part of the group policy you wouldn't need a script to manually setup those settings and wouldn't need the user to have admin access.

 

[dgcm]

I'm not sure in Group policy where to define registry settings........I'll have a look though Thanks

I'm close to washing my hands of this and passing it onto someone else ;-)

 

[baddos]

You can directly edit the registry via group policy preferences, but I would try to change the built in settings first to see if they cover the settings you need.

What specific registry settings do you need to change?

 

[dgcm]

I need to add two entries under :

HKCU\Software\Policies (the application creates these - but only for the account that installed it )

The software the company is awful ! The project lead asked the software company if it couldn't keep it's bits in HKEY_LOCAL_MACHINE instead, but they said no !

 

[baddos]

What specific registry settings do you need to change?

 

[dgcm]

HKCU\Software\Policies\Titus Labs\Message Classification\DefinitionFileServerPath", "C:\\Titus\\myEmail.tl" , "REG_SZ"

"HKCU\Software\Policies\Titus Labs\Document Classification\DefinitionFileServerPath", "C:\\Titus\\myDocuments.tl" , "REG_SZ"

I'm going to see if I can get an ADM that will work, but if anyone can tell me easily what the ADM should have in it, that would be great !

Thanks

 

[baddos]

Check out this link.

http://thelazyadmin.com/blogs/thelazyadmin/archive/2005/07/05/Creating-Custom-ADM-Templates.aspx

You can create a custom ADM file and add it to your group policy for your users.

 

[dgcm]

Thanks, I've already started looking at writing a custom ADM, however I haven't got the syntax quite right yet.

I shall persevere (the example on lazyadmin is a bit less daunting than others I've seen)

 

[dgcm]

Success ! Well sort of.......

I've put this into an ADM file

CLASS User
CATEGORY "Custom registry entries"
POLICY "Titus"
KEYNAME "Software\Policies\Titus Labs\Message Classification"
VALUENAME "DefinitionFileServerPath"
VALUEON "C:\Documents and Settings\All Users\Application Data\Titus Labs\MyEmail.tl"
END POLICY
END CATEGORY

And it works ! Do you know how I would enter a second registry entry (same category and policy, but different keyname) into the same ADM ?