Giving Rights to HKEY_CURRENT_USERSsoftware folderapplication

Home Forums Microsoft Networking and Management Services GPO Giving Rights to HKEY_CURRENT_USERSsoftware folderapplication

This topic contains 11 replies, has 5 voices, and was last updated by Avatar Daveinholland 12 years, 7 months ago.

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #120631

    H there

    I am trying to use Group police to give employees the necessary rights over certain registry keys. An application requires this.

    HKEY_Local_MachineSoftwareApplication

    HKEY_USERSSoftwareApplication

    I have no problems assigning permissions to the previous keys in a GPO, but I don’t see an option for Hkey_Current_Users

    So how do I assign appropriate permissions to the following key:

    HKEY_Current_UsersSoftwareApllication

    Avatar
    sorinso
    Member
    #264567

    Re: Giving Rights to HKEY_CURRENT_USERSsoftware folderapplication

    Hi, daveinholland.
    I understand you cannot give permission on the HKCUSoftware[SomeApplication] registry key, is that correct?
    Have you tried through regedit too and it didn’t work? ( You know, right click on the key, Permissions…)
    What permissions does your user (the one you are logged in with while trying to change the permissions) have on the same key? And on the key above it?

    #290963

    Re: Giving Rights to HKEY_CURRENT_USERSsoftware folderapplication

    Through Regedit I can do this, buy the thing is I want to give the users these rights from teh server through a GPO.

    But in teh setting windows settingssecurity settings registry when I want to edit a registry item All I can edit are the HKLM / CLASSES ROOT and USERS key. This works fine but I want to also edit the Hkey Current USesrs folder through a group policy or else I have to do this manually on all pc’s

    Avatar
    netxt
    Member
    #252688

    Re: Giving Rights to HKEY_CURRENT_USERSsoftware folderapplication

    Hello,
    From my point of view there is no need to do it. HKCU is a sub key of HKU (HKEY_USERS).
    http://support.microsoft.com/kb/256986
    So, modify permissions only in HKEY_USERS and this is available in GPO.

    Avatar
    Mouse
    Member
    #290848

    Re: Giving Rights to HKEY_CURRENT_USERSsoftware folderapplication

    Sounds like a custom policy job my friend, there are a number of related items for making custom ADMs within this forum but this link http://support.microsoft.com/kb/323639/en-us will get you going in the right direction.

    Edit: Sorry netxt didn’t see your post, sounds like your closer to the mark :)

    Avatar
    sorinso
    Member
    #264570

    Re: Giving Rights to HKEY_CURRENT_USERSsoftware folderapplication

    Aaaaa…. that one :):)
    The HKCU key is a copy of the user’s registry set from HKU (according to it’s SID). So give permissions on the HKU branch.

    Added: Oooops! I’m outdated.. This is what happens when you talk with the boss instead of answering to the forum… :):)

    #290964

    Re: Giving Rights to HKEY_CURRENT_USERSsoftware folderapplication

    mmm giving rights to just the hkey users key even though I know Hkey current users is a subset of this key doesn’t seem to work.

    Any ideas how to directly modify the hkey cirrent users key with helkp of a GPO?

    Avatar
    sorinso
    Member
    #264583

    Re: Giving Rights to HKEY_CURRENT_USERSsoftware folderapplication

    There’s a tool available: RegINI.
    Do you think it can help you?

    Avatar
    Mouse
    Member
    #290854

    Re: Giving Rights to HKEY_CURRENT_USERSsoftware folderapplication

    Quote:
    Any ideas how to directly modify the hkey cirrent users key with helkp of a GPO?

    You can create them yourself, this link should help you get started.
    http://support.microsoft.com/kb/323639/en-us

    Avatar
    guyt
    Member
    #193446

    Re: Giving Rights to HKEY_CURRENT_USERSsoftware folderapplication

    This is a catch22 situation – the HKCU hive is not available when processing computer settings part og a GPO, hence you will not see the hive there.

    As for writing custom ADMs, this will not work too – registry permissions can not be assigned via custom ADMs.

    Now to the more interesting question: by default the logged on user has Full Control over HKCU branch and unless you have done something to lock this down, the user should be able to change anything in HKCU.
    Now if you did lock it down, as the user is the Owner of the branch, you can change the permissions over HKCUSoftware in the logged in user’s security context. This can be done using something like regini.exe:

    regini.exe unlock_hkcu_software.ini[/CODE]

    an example unlock_hkcu_software.ini file attached. More on altering permissions using regini can be found by running regini /?

    You can create a script and add it as Logon script in the GPO linked to container wherer the user accounts reside.[CODE]regini.exe unlock_hkcu_software.ini[/CODE]

    an example unlock_hkcu_software.ini file attached. More on altering permissions using regini can be found by running regini /?

    You can create a script and add it as Logon script in the GPO linked to container wherer the user accounts reside.

    #290969

    Re: Giving Rights to HKEY_CURRENT_USERSsoftware folderapplication

    Thank you I really believe I am on the right way now, however how do I use this line in a script? What I mean is: just this code?

    regini.exe unlock_hkcu_software.ini

    How would teh script look like? what extension?

    Avatar
    sorinso
    Member
    #264708

    Re: Giving Rights to HKEY_CURRENT_USERSsoftware folderapplication

    You can create a CMD file (the actual name for the old BAT files, with some improvements), that contains the command:
    regini.exe unlock_hkcu_software.ini.
    If you don’t want any output, you can add > nul at the end of the command. And you should solve the paths issues (meaning, if the REGINI.EXE and the INI file are not in the same folder).
    That should be it.

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.