User's can't change HKCU

  • Thread starter Thread starter Sherwood Botsford
  • Start date Start date
S

Sherwood Botsford

Not sure what I've done, but users cannot make changes to their own
registry hive.

Setup: Samba server acting as PDC, no active directory.
Clients run win2k sp3.

On login, users are supposed to run $NETLOGON/login.cmd.
This does get executed -- all the net use commands work.
But the commands to set folder paths do not get executed.
Running login.cmd manually as a user gets a permission denied
for those lines of the file.

Question 1: What registry setting on the machine decides
whether users can make changes to their registry setting?

Question 2: Is there a way to run a script as Administrator
on bootup, where that script is stored on the NETLOGON share?

Question 3: Is there a batch tool for editing many users ntuser.dat
file? In unix land, I could use sed and create a fileof find and
replace expressions. While regedt32 will allow me to manually load
a user's hive, and make changes, at this point I don't know how to
do it in bulk.
 
Registry keys have ACLs. It sounds like you've used one user's profile as
the basis for other users' profiles. You need to use the "user profiles"
feature in the properties dialogue of "My Computer" and click the "copy to"
function to generate the profile. Note the "permitted to use" button and
complete as appropriate.

Regards

Oli
 
Oli Restorick said:
Registry keys have ACLs. It sounds like you've used one user's profile as
the basis for other users' profiles. You need to use the "user profiles"
feature in the properties dialogue of "My Computer" and click the "copy to"
function to generate the profile. Note the "permitted to use" button and
complete as appropriate.

Regards

Oli
Click to expand...

I'll check that out. Fixing this on each computer is not practical.
I have 40 computers, and 130 profiles. I think this is something I did
while trying to lock down the computers to reduce the kids ability to
screw them up. (Can't make it foolproof. Fools are too clever.)

My question 1 is the general case of how to deal with this:
How can I make a change in MANY profiles without using a mouse?
 
Sherwood Botsford said:
I'll check that out. Fixing this on each computer is not practical.
I have 40 computers, and 130 profiles. I think this is something I did
while trying to lock down the computers to reduce the kids ability to
screw them up. (Can't make it foolproof. Fools are too clever.)

My question 1 is the general case of how to deal with this:
How can I make a change in MANY profiles without using a mouse?
Click to expand...

I did it the following way ..

I did set up the samba as a PDC ...
connected the XP machines here to the domain and created one "reference"
user .. then copied that profile from the XP machine to the "Profiles" share
on the PDC ..

Then I made a small script on the Linux machine to just create new users in
one stroke. ie it makes the Linux user, prevents login on the PDC .. creates
the users dirs and copies the master profile to the new account and adding
the new user to the smbpasswd file .. I also set the user group as well.
works like a charm ..

& BTW you can prevent the changing of profiles by making them mandatory ..
it is documented in the MS docs but I think changing the .dat extension to a
..man extension for those ntxxxx.dat files should do the trick .. seem to
remember you could also "prevent propagation of profile changes to the
server" through gpedit.msc .. if I'm not mistaken ..

HTH
 
More grist for this mill:

I logged in as Administrator. Running the logon script as administrator
has no problems. Ok. No surprise.

Turned on a lot of "log on failure" security audits. Logged in as a user,
logged out, and logged in again as administrator.

checking the Event log files, I found that the only errors concerning the user
were concerning SeIncreaseBasePriorityPrivilege.
 
More grist for this mill:
I logged in as Administrator. Running the logon script as administrator
has no problems. Ok. No surprise.

Turned on a lot of "log on failure" security audits. Logged in as a user,
logged out, and logged in again as administrator.

checking the Event log files, I found that the only errors concerning the user
were concerning SeIncreaseBasePriorityPrivilege.
Click to expand...

On the advice of one individual I checked the ownership & permissions
on the profile. (My Computer -> Properties -> User profiles -> select user ->
Security tab)

The user has full rights on the profile.
 
Problem solved. Program I used to do the registry edits
was dtreg.exe by David Thomas.

Found an article on LabMice.net that explained command line
use of regedit. That did the trick.
 
Back
Top