Announcement

Collapse
No announcement yet.

Applying registry edits to users logging on

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Applying registry edits to users logging on

    I've been working on this for about 4 hours and I finally gave up.

    I created a registry file with a long list of restrictions to be applied to a Windows 7 Pro computer. I have about 15 of these computers and they are not connected to a domain. The registry entried pretty much lockdown the computer so that they can't right click or see the drives or modify settings etc. The script works fine and I am happy with the results, but the problem is I don't know how to get this script to run. Of course if I put the reg file in the all users startup, it would not run because the user doesn't have the rights to modify the registry. I tried the runas command with sanur but it doesn't seem to work in Win7. I tried a Task Scheduler to run the script as a different user (admin) on each users logon but when I run it manually it doesn't seem to work. I tried adding it to the Computer logon scripts but it doesn't work. But when I run the batch file itself it works just fine, aside from the fact that if I run it under the standard user the registry edits won't happen because the permissions are not there.

    Anyone have any ides? I need this script to run automatically as I cannot sit there logging in as each user and running the script, and I want the option to modify the .reg file every now and then and then the next time the user logs on it pushes the newest changes.

    Thanks

  • #2
    Re: Applying registry edits to users logging on

    Sounds like a good use for Group Policy Preferences, assuming your DCs are 2008
    More info:
    http://www.microsoft.com/download/en....aspx?id=24449
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Applying registry edits to users logging on

      Originally posted by Ossian View Post
      Sounds like a good use for Group Policy Preferences, assuming your DCs are 2008
      More info:
      http://www.microsoft.com/download/en....aspx?id=24449
      I mentioned that these PC's are not part of any domain whatsoever. They are standalone.

      Comment


      • #4
        Re: Applying registry edits to users logging on

        Sorry -- didnt read it in enough detail.
        Will put thinking hat on, but your options are limited...
        How about using psexec to run it remotely, using elevated permissions -- you could script something to loop through all the PCs
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Applying registry edits to users logging on

          Originally posted by Ossian View Post
          Sorry -- didnt read it in enough detail.
          Will put thinking hat on, but your options are limited...
          How about using psexec to run it remotely, using elevated permissions -- you could script something to loop through all the PCs
          I started using lsrunas and was convinced it was working until I realized that when you run regedit.exe /s reg.reg using the lsrunas command, and you're entering HKCU entries, it actually enters them into the registry of the lsrunas account you are using. Could be dangerous but luckily I didn't end up restricting the admin account too bad.

          How can I get the lsrunas command to modify the HKCU of the currently logged on user while running the actual registry import as an elevated process?

          Comment


          • #6
            Re: Applying registry edits to users logging on

            If you launch the command using a Runas service (i.e. via scheduled task) and the command should edit the current user's registry hive - then a script is required that firstly determine the SID-of the current user and then use this SID to modify the current user's registry values in the HKEY-USERS\S-1-5-xx-xxx...\... part.

            Instead of regedit.exe /s "pathto\file.reg" it is preferred using reg.exe import "pathto\file.reg".


            Originally posted by kingbear2 View Post
            Of course if I put the reg file in the all users startup, it would not run because the user doesn't have the rights to modify the registry.
            Users normally do have the rights to modify the HKCU hive, exept for 'policy' keys and a few other keys. Are some of the entries in the reg file in one of the policy subkeys?

            What OS is on the computers?

            /Rems

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: Applying registry edits to users logging on

              I actually found a nifty utility called modifyprofile.exe that will load all users registry hives one by one and apply the registry modifications and then unload them. Conveniently enough it skips the currently logged in users hive which works out well for me because I don't want to modify the administrators HKCU.

              So you were saying if I use the lsrunas command, I need to determine the logged in users SID and then place that variable in my reg file to import into the correct hive. I don't know how to use a variable in a reg script though.

              Comment


              • #8
                Re: Applying registry edits to users logging on

                Originally posted by kingbear2 View Post
                So you were saying if I use the Lsrunas command, I need to determine the logged in users SID and then place that variable in my reg file to import into the correct hive. I don't know how to use a variable in a reg script though.
                here is a sample,
                Code:
                :: this sample is using PsExec for the "RUN AS" job
                :: but you can also use something like Lsrunas instead.
                
                :: copy the files PsGetsid.exe and PsExec.exe to %windir% first!
                
                @echo off
                
                For /f "skip=6 tokens=*" %%! in (
                  'PsGetsid.exe %username% 2^>^&1') do SET "SID=%%!"
                
                Call Set "run=%temp%\regfile"
                Set "task=Reg.exe import %run%"
                
                >%run% call:reffile "c:\regfile.reg"
                
                PsExec.exe -u "Administrator" -p "@@[email protected]@" %task%
                
                
                goto:EOF --------------------------------------------------------------
                :reffile
                setlocal enabledelayedexpansion
                for /f "tokens=*" %%* in ('type %*') do call:regfile %%*
                endlocal
                exit /b 0
                :regfile
                set "line=%*"
                set "line=%line:[HKEY_CURRENT_USER=[HKEY_USERS\!SID!%"
                echo.%line%
                exit /b 0
                ----------------------------------------------------------------
                When this script should run only once for each user on the computer use "the active-setup keys". I have used active-setup a few times my self and it works very nice.


                Originally posted by kingbear2 View Post
                I actually found a nifty utility called modifyprofile.exe that will load all users registry hives one by one and apply the registry modifications and then unload them. Conveniently enough it skips the currently logged in users hive which works out well for me because I don't want to modify the administrators HKCU.
                Glad you got it sorted.


                Maybe there is a third way by copying the '\USER' subfolder from %windir%\System32\GroupPolicy folder from a reference computer to all other computers. Make sure the owner of the files and folders stays the local group administrators. (http://www.theeldergeek.com/gp07.htm). Not sure though whether a local Registry.pol file will function if it is copied from another computer! Create good backups before testing!!

                /Rems
                Last edited by Rems; 1st November 2011, 19:00.

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment

                Working...
                X