HKEY_CURRENT_USER Permissions Script

[RobFuller]

Hey,

I'm trying to write a script that will add permissions to the HKEY_CURRENT_USER hive so that the Interactive User has Full Control. What has happened here is when we created staff user profiles the profile they were created from had this missing. Meaning when the logged onto a machine it couldn’t write to there personal registry!!
So to fix this program I’m hoping to write a script which will run at logon to fix this problem. But I’m having trouble getting the script to run and was hoping someone here to help me please!


Set wshNetwork = CreateObject("WScript.Network")
strUser = wshNetwork.Username

strComputer = "."

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get _
("Win32_UserAccount.Name="""& strUser &""",Domain=""dnt1""")

strSID = objAccount.SID

Set objShell = CreateObject("WScript.Shell")
objShell.Run "E:\regini\regini '\Registry\User\' & strSID & '\ [1 5 13 17 21]'"




I'm not brilliant at scripts to please don’t slaughter me!! lol.
Any help would be appreciated!!

Rob

[m2d2]

Are you talking about registry permissions or registry keys?

If it's permissions then the most straight forward thing to do would be to call a command line utitlity such as SetACL or SubInAcl

SetACL is availible from sourceforge.net and SubInAcl should abe availible from Microsoft or the setups folder if you run SIMS.net

[User3204]

If you use Group Policies, there is an option to change permissions on stuff in there....

You should be able to set permissions to a user group.... I have done this for some wierdly crappy software in the past.

[RobFuller]

We are trying to change USER permissions in the registry which GPO doesn’t have an option for!
Does this SetACL change USER Hive registry?

Thanks for your help guys!

[ajbritton]

Yes, SetACL can change the permissions inside the registry. It can do this on the local machine or on remote machines.

Have a look at examples 17 to 19 here -> SetAcl Examples

[RobFuller]

That looks good; problem is the user won’t have permissions to change their CURRENT_USER permissions in the registry! Any ideas what I could do to get around this, was hoping to put it in there Logon script.

[ajbritton]

That's not going to work. Anything in the user's logon script will run in the user's security context.

If you need to elevate the permissions, you will need to hard code a username and password into a script which has higher permissions. If you do this, you need to make sure the script is not readable by users.

[RobFuller]

Just to update:

I did start using SetACL which is very good in conjuction with a special runas program which you can set permissions to run as elevated users.
But after more investigation I found that most of the users have such corrupt and messy profiles that I’m going to reset them all with a clean from scratch profile. To wipe the slate so to speak.

Thanks for you suggestions, very useful!

Thanks
Rob