Enable users to modify Protected Registry Keys

  • Thread starter Thread starter Cathy Milan
  • Start date Start date
C

Cathy Milan

By default users are not able to modify registry keys under

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

What code or function would I be able to use so that all
users would be able to modify those keys?

Thanks in advance.

Cathy
 
Registry keys have permissions just like the file system. Use regedt32 to
have access to the permissions settings.

Ray at home
 
Hi Ray,

The problem is that if I use RegEdt32 to make changes to the permissions of
of a key under HKCU (the key whose access I am trying to change permissions
for
is (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies)
the permissions change only for that particular user. I would like to make
a change
so that the permissions of that key change for every user that logs in. I
would like
to make all these changes from the Administrators account.

Any ideas?

Cathy
 
You can create a profile the way you like it, then while logged on as
another user (with administrative rights) Control Panel|System|User
Profiles, select the profile you adjusted, Copy To, Browse to
%systemdrive%\Documents and Settings\Default User
Change "Permitted to use:" to "Everyone" OK

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows]
Microsoft Certified Professional [Windows 2000]
http://www.microsoft.com/protect


:
| Hi Ray,
|
| The problem is that if I use RegEdt32 to make changes to the permissions
of
| of a key under HKCU (the key whose access I am trying to change
permissions
| for
| is (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies)
| the permissions change only for that particular user. I would like to
make
| a change
| so that the permissions of that key change for every user that logs in. I
| would like
| to make all these changes from the Administrators account.
|
| Any ideas?
|
| Cathy
|
|
| "Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in
| message | > Registry keys have permissions just like the file system. Use regedt32
to
| > have access to the permissions settings.
| >
| > Ray at home
| >
| > | > > By default users are not able to modify registry keys under
| > >
| > > HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
| > >
| > > What code or function would I be able to use so that all
| > > users would be able to modify those keys?
| > >
| > > Thanks in advance.
| > >
| > > Cathy
| > >
| > >
| >
| >
|
|
 
And in addition to Dave's suggestion for future users, for current users,
you can change the permissions for the currently logged on user over a
network by connecting to the computer in regedt32 as a user with admin
rights on the machine.

Another thing that would probably work would be to "runas|su" a command line
utility to change the registry permissions, or "AT|soon.exe" a task to do
it, which will run under the system account.

Runas|su: http://www.jsiinc.com/subg/tip3000/rh3063.htm

Command line reg permissions:
http://groups.google.com/groups?q=c...roup=microsoft.public.win2000.cmdprompt.admin

Ray at home
 
In said:
Hi Ray,

The problem is that if I use RegEdt32 to make changes to the
permissions of of a key under HKCU (the key whose access I am
trying to change permissions for
is
(HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Polici
es) the permissions change only for that particular user. I would
like to make a change
so that the permissions of that key change for every user that
logs in. I would like
to make all these changes from the Administrators account.

Any ideas?

Only just curious if whatever it is cannot more simply be
accomplished via local/domain GP in the first place.
 
Hi Ray,

I have tried using "runas /user:Administrator regedt32" while logged into
the user's account
but when I looked at the keys in HKEY_CURRENT_USER they were not the same as
the
user's current HKEY_CURRENT_USER keys. I think that it brings up under
HKEY_CURRENT_USER
what is really under HKEY_USERS\.DEFAULT. Therefore modifying those keys
does not change
the user's keys.

Any idea why that is happening?

Cathy
 
You know, I forgot that runas loads the user's profile by default. So,
perhaps it's the administrator's profile under HKCU. That would make sense.
But if the other user is logged on too, his profile should exist under
HKU\S0-02309039203923TheUser'sSid....

You can runas with the /noprofile switch to avoid loading the
administrator's profile though. By doing that, you may see the current user
in HKCU.

Okay, I just tried it in XP, but HKCU was still the administrator's hive,
even with the /noprofile. But my profile, the account that I'm logged on
as, was available to me in HKU\S-1-5-21-etc.etc.

If you want to check for sure that the SID you expand is the correct user,
you can navigate to

HKU\[sid]\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

and take a look at the "special folders" in their and their paths.

Ray at home
 
Back
Top