How to give permissions for users on "Current user" registry?

[isterios]

I would like to authorize users to have write permissions on specific keys in "Current User". These key are those in HKCU\Software\Microsoft\Windows\current version\policies\explorer.

If I give write permissions for everyone with my administrator account on this key (explorer), it doesn't work: when the user log on, the permissions I set have disappeared. The user has only read permissions.
If I give write permissions for everyone with my administrator account on this same key (explorer) but in HKEY_users\.default, same problem.

So how to give write permissions for users on this keys in HKEY_Current_users?

thanks.

 

[Ogi]

Hi,

Don't think you can, this is where AD locks your sessions down. And being able to alter this defeats policies!

What are you trying to accomplish?

Cheers,
Carl.

 

[isterios]

Thanks Ogi.

I have still the problem most citrix admin have: I try to hide the Citrix server drives for users but not for myself as admin.

So I made a script (kix) which makes a difference between admin and user at logon, and which apply key (no drives) in current user registry in accordance with the profile.

But I never succeeded in giving write access to a user (only admin has write permissions).

Moreover, I tried to create a citrix group on our AD and to apply it a group policy object, but for a reason nobody knows here, the policy object never apply... (problem of replication between our domain controlers apparently).

Ogi, what best solution did you find for hiding citrix drives? I have been searching for weeks now but no solution...

 

[Ogi]

Hi,

Why don't you use two group policies in your Active Directory, one for admins, one for users?

I'll presume that you can't do that or don't want to or whatever! So, what I do is lock everyone down, including Admin but then create desktop shortcuts on my own desktop called "U:\" for the System Drive and just shortcut everything on my desktop so I can work around it!

It's great to use Microsoft software because everywhere they lock it down, they give you the ability to easily get round it!

Listening Microsoft? Thought not!

Cheers,
Carl.

 

[isterios]

Thanks Ogi. It is complex:

Our users will use two environments: Citrix environment and, lets call it, Z environment.

- On citrix environment, I need specific policies such as disable control panel, disable "run" etc. (the desktop is published, an idea of my boss...)
- On Z environment, other policies are applied (but control panel must not be disabled etc.)

If I modify, on the active directory, the permissions for the users with policy object, it will affect Citrix and Z environment exactly the same way, and I don't want this.

Of course, on my Citrix servers, I need to have full permissions.

So, ok for hiding Citrix drives (with HKLM) and make shortcuts towards these drives. But how to prevent control panel, run, drives mapping, task manager etc. for users but not for me as admin?

 

[Chambers]

Like he said make 2 policies

UserPolicy - Lock everything down, then add all users (BUT NOT ADMIN) into that group

AdminPolicy - Set the policies you want and add yourself to is, easy..just takes time

That is how I have it set up and actually I only have 1 policy for citrix users called "CitrixPolicy" and I didn't put myself in the group so none of the policies effect me.