Set Registry Key on HKCU:\Software\Policies

Question

_{Tuesday, December 3, 2013 4:44 PM}

Hi, i have a software that needs to add some keys into the registry HKCU:\Software\Policies

But it turns that even this is Current User Key, the user don't have rights to this Key.

I seem to be able to modify everything under HKCU but in this folder the user has only read permissions.

Why?

Is there a way to grant user Full control of this Key and subkeys without giving him Local Admin Rights?

Can i modify this with  a startup script even though this is a HKCU ?

Thanks

All replies (9)

_{Tuesday, December 3, 2013 6:41 PM | 1 vote}

The Policies key is one of the locations where Group Policy typically stores values that are configured under the "Administrative Templates" section of User policies, which is why its permissions are restricted by default.  Ideally, you would just configure these options through Group Policy and let the system handle getting them into the registry.

_{Tuesday, December 3, 2013 9:44 PM}

Yeah, what software is trying to write to that key?  That is very non-standard...

_{Wednesday, December 4, 2013 9:21 AM}

Hi, is Cisco software and i want to configure different settings depending on AD attributes with a powershell logon script.

The GPO is not as flexible....

So i would like to be able to modify this without admin rights.

thanks

_{Wednesday, December 4, 2013 2:24 PM}

Then you would have to modify the permissions on those keys ahead of time, to allow the user to have Write permission to those registry keys.  This would have the side effect of letting a user get around Group Policy, in some ways, by changing registry values and running commands before the next policy refresh.

_{Wednesday, December 4, 2013 4:42 PM}

How i modify them?

 If on logon the current users might not have logged on yet.

So it can't locate them...

I coud fin each user under HKU - SID and apply to all of them but if a new user logs in it won't be there..

Regards

_{Wednesday, December 4, 2013 5:25 PM}

<snip>

I coud fin each user under HKU - SID and apply to all of them but if a new user logs in it won't be there..

Regards

You'll need to do that for existing users. As for new users, load NTUSER.DAT in C:\Users\Default and make your changes there. New users will inherit any changes you make (assuming GP doesn't later overwrite them, of course).

EDIT: Have you checked with Cisco as to why this software is wanting to do unsafe things? There must be a better way than this.

Don't retire TechNet! - (Don't give up yet - 12,420+ strong and growing)

_{Wednesday, December 4, 2013 7:08 PM}

Here's some code to update the Default User registry.  Using Reg.exe isn't purist, but it's a heck of a lot easier:

& reg.exe load HKU\CustomizeDefaultUserProfile "c:\users\Default\ntuser.dat"
New-ItemProperty -Path Registry::HKEY_USERS\CustomizeDefaultUserProfile\Software\Policies\Etc..\Etc.. -Name RegEntryName -PropertyType DWORD -Value 0
& reg.exe unload HKU\CustomizeDefaultUserProfile

_{Thursday, December 5, 2013 7:38 AM}

Hi Slowscripter,

Thanks for your posting.

Agree with David, this registry has security permissions so that a standard user cannot change these keys to disable or change the behavior of applied policies. The keys are created when the GPO is applied.
Note: A local administrator can overwrite these registry keys and thus change or disable the behavior of the policy.
However, to achieve your goal without grant the Domain Users modify permission, you may create your own ADM file to write keys and values in HKEY_CURRENT_USER\Software\Policies.
For the detailed information, please refer to this forum:

Write under HKCU via GPO:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/ed6d016a-69a8-4694-9283-b2f487498c82/write-under-hkcu-via-gpo

I hope this helps.

We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

_{Thursday, December 5, 2013 9:54 AM}

Hi, thanks for your reply, the problem is that GPO is not flexible as i need different settings for different users based on AD attributes.

So a powershell script is the best solution here.

I also tried to deploy a registry key by GPO with Domain\Users Full control to it but permissions doesn't get applied.

The Key needs to be on:

HKEY_CURRENT_USER\Software\Policies\Cisco.

And under Cisco it will have Other Keys with multiple values.

HKEY_CURRENT_USER\Software\Policies\Cisco\Comms\Rules

Is there a way to grant Users Full control to just HKEY_CURRENT_USER\Software\Policies\Cisco\ And inherent objects, and keys?

I don't need Full control the to HKEY_CURRENT_USER\Software\Policies\

Just the Cisco key and below.

I tried with Rhysaroni code, but i don't know how it is supposed to work 

Thanks