helppari
asked on
Enabling regedit and disabling it again in group policy with login script
Hello experts!
I hope the question title matches the problem accurately enough. Here's the problem:
I need to map user favorites in domain with a login script that changes the location of the favourites for each and every user from the default (documents and settings\user\etc) to a network location.
To do this I need to change a registry value with the login script (using .reg-file). The problem is, that when a user logs in and the login script runs the grop policy has the regedit disabled (which is the way it needs to be) so the reg-value cannot be changed.
Any suggestions how do I enable regedit, so that the value can be changed, and disable it again (I assume it should be done in the same login-script)? Or is there another way to do it?
I hope the question title matches the problem accurately enough. Here's the problem:
I need to map user favorites in domain with a login script that changes the location of the favourites for each and every user from the default (documents and settings\user\etc) to a network location.
To do this I need to change a registry value with the login script (using .reg-file). The problem is, that when a user logs in and the login script runs the grop policy has the regedit disabled (which is the way it needs to be) so the reg-value cannot be changed.
Any suggestions how do I enable regedit, so that the value can be changed, and disable it again (I assume it should be done in the same login-script)? Or is there another way to do it?
ASKER
Hey sramesh2km,
I've got the VBScript ready to do the trick, but the problem is that the person logging in is a user and because of that doesn't have the permission to edit the registry.
So I'd need to enable registry editing option for just a second so that the script can be ran and then disable it again.
I've got the VBScript ready to do the trick, but the problem is that the person logging in is a user and because of that doesn't have the permission to edit the registry.
So I'd need to enable registry editing option for just a second so that the script can be ran and then disable it again.
Login as administrator account before editing. The above method should solve your problem.
If you can't login as administrator, then the best thing to do would be to ask kindly for the admin to give you permission.
Hope this helps :D
If you can't login as administrator, then the best thing to do would be to ask kindly for the admin to give you permission.
Hope this helps :D
Why dont you try the RunAs Function to run the .reg as an Admin within the script. Checkout:
http://www.tek-tips.com/faqs.cfm?fid=2760
Hope it helps. I have compiled the RunAs comand with an Admin password into an EXE with Visual Basic for running loads of programs on our sight as the user logs on. Works liek a charm.
http://www.tek-tips.com/faqs.cfm?fid=2760
Hope it helps. I have compiled the RunAs comand with an Admin password into an EXE with Visual Basic for running loads of programs on our sight as the user logs on. Works liek a charm.
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sct/scthch04.mspx
this link talking about some tool to make restrict and allow users to do something ... actually i don't have any idea about this tool ..but meybe this tool can let you open regedit with restricted accounts
the User Restrictions tool allows you to restrict user actions. By default, users who have limited accounts cannot install software or hardware, but can run programs they download or bring with them on a USB drive—potentially causing problems on the computer. With the User Restrictions tool, you can define restrictions for Microsoft® Internet Explorer, Microsoft Office, the Microsoft Windows® XP operating system, the Start menu, and specify what software is permitted to run.
wish it help
this link talking about some tool to make restrict and allow users to do something ... actually i don't have any idea about this tool ..but meybe this tool can let you open regedit with restricted accounts
the User Restrictions tool allows you to restrict user actions. By default, users who have limited accounts cannot install software or hardware, but can run programs they download or bring with them on a USB drive—potentially causing problems on the computer. With the User Restrictions tool, you can define restrictions for Microsoft® Internet Explorer, Microsoft Office, the Microsoft Windows® XP operating system, the Start menu, and specify what software is permitted to run.
wish it help
>> because of that doesn't have the permission to edit the registry.
You mean, the user does not have the permission to launch Regedit.exe ? (DisableRegistryTools policy won't affect a VBScript)
You mean, the user does not have the permission to launch Regedit.exe ? (DisableRegistryTools policy won't affect a VBScript)
hi there
the best alternative is setting the profile to the required folder u can set this in the group policy so why go for the regedit thing. only if u want the network folder location being changed dynamically every time u need a script
so try to edit the gpo and set the settings the network profile.
i mean like u set a mandatory profile to users so also u can set a profile to a group with the default location
bhanu
the best alternative is setting the profile to the required folder u can set this in the group policy so why go for the regedit thing. only if u want the network folder location being changed dynamically every time u need a script
so try to edit the gpo and set the settings the network profile.
i mean like u set a mandatory profile to users so also u can set a profile to a group with the default location
bhanu
ASKER
>>Login as administrator account before editing. The above method should solve your problem.
>>If you can't login as administrator, then the best thing to do would be to ask kindly for the admin to give you permission.
Gammarax I am the admin but the path needs to be modified in registry with every user logging in on basis of %USERNAME%.
>> You mean, the user does not have the permission to launch Regedit.exe ? (DisableRegistryTools policy won't affect a VBScript)
Exactly shramesh2k. That's what I thought as well but seems like it does. When running the script as a user a window pops up telling the regedit is disabled.
I think I'll try what Admin4XP suggested, that could be just what I'm looking for. I'll get back to you as soon as I've tried that. Thanks ya'll for posting this far!
>>If you can't login as administrator, then the best thing to do would be to ask kindly for the admin to give you permission.
Gammarax I am the admin but the path needs to be modified in registry with every user logging in on basis of %USERNAME%.
>> You mean, the user does not have the permission to launch Regedit.exe ? (DisableRegistryTools policy won't affect a VBScript)
Exactly shramesh2k. That's what I thought as well but seems like it does. When running the script as a user a window pops up telling the regedit is disabled.
I think I'll try what Admin4XP suggested, that could be just what I'm looking for. I'll get back to you as soon as I've tried that. Thanks ya'll for posting this far!
If you have permission problems to edit the registry from login use policy to change registry.
I use this free tool "PolicyMake Registry Extension" from
http://www.desktopstandard.com/PolicyMakerRegistryExtension.aspx
inside installed location you have a small clients (polregcl.msi 700k) thats need to be installed on all computer
You have a simpel regwizard or editor from inside gpedit thats make it simple to add registry.
I use this free tool "PolicyMake Registry Extension" from
http://www.desktopstandard.com/PolicyMakerRegistryExtension.aspx
inside installed location you have a small clients (polregcl.msi 700k) thats need to be installed on all computer
You have a simpel regwizard or editor from inside gpedit thats make it simple to add registry.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dark_King that sounds interesting. Can you elaborate on how do I "use it in GPO with gpedit"?
So I'd need the favorites folder to be mapped into network location, say "\\server\folder$\%usernam
So I'd need the favorites folder to be mapped into network location, say "\\server\folder$\%usernam
Exemple if you have users home folder mapped to h:\ (net use h: \\server\folder$\%username
You can set Favorites in GPO to h:\ie6\Favorites
You can set Favorites in GPO to h:\ie6\Favorites
If you save it as exemple "folder.adm" and import it in gpedit
set filter view in gpedit to show not suported policy you while see it.
set filter view in gpedit to show not suported policy you while see it.
Im not sure you need to set the view, but if you not see it do that
ASKER
I'm not quite sure if I know how to import files to gpedit. Do I need to do this on local machine or domain controller?
Is there a source for the code you posted (meaning this: CLASS USER, CATEGORY "ZAK Policies", CATEGORY "Windows NT" etc.)?
Is there a source for the code you posted (meaning this: CLASS USER, CATEGORY "ZAK Policies", CATEGORY "Windows NT" etc.)?
You can test on local but all policy in a network is set on domain controller.
I’m not a MS server guru I use novel but 100% sure MS own system work on it self to.
I’m not sure what server you using but you ask under Xp and talk about policy so I believe
you using 2003 as server, are you using AD.
You probably need to start Gpedit so it working on policy files that’s reading by clients at login.
You say “grop policy has the regedit disabled” are you locking down by setting policy local?
In Gpedit you can right click on Administrative template and ADD template to import .adm files
I’m not a MS server guru I use novel but 100% sure MS own system work on it self to.
I’m not sure what server you using but you ask under Xp and talk about policy so I believe
you using 2003 as server, are you using AD.
You probably need to start Gpedit so it working on policy files that’s reading by clients at login.
You say “grop policy has the regedit disabled” are you locking down by setting policy local?
In Gpedit you can right click on Administrative template and ADD template to import .adm files
"Is there a source for the code you posted (meaning this: CLASS USER, CATEGORY "ZAK Policies", CATEGORY "Windows NT" etc.)?"
copy & paste to a new file
If you setting policy local now you shold ask MS guru here to help you seting upp policy in your network.
If you need policy files you can take from me, I have collected some here .adm files here.
http://big.park.se/files/extra/policy/
copy & paste to a new file
If you setting policy local now you shold ask MS guru here to help you seting upp policy in your network.
If you need policy files you can take from me, I have collected some here .adm files here.
http://big.park.se/files/extra/policy/
ASKER
Imported the .adm-file to a GPO object @ domain controller linked to the desired machine group and it worked out great. Thanks for leading me into the right direction Dark_King!
When you in to this policy you while notes it’s best and simples way to control clients.
There a lot of third parties produced tools to make policy files but you can learn to make it self, some tools is free and make it easy to quick set up new policy.
In my link on policy you find a lot of policy files and most work under XP if its use as GPO, like this StartMenu changer http://big.park.se/files/extra/policy/files/adm/Start%20Menu%20Config/
It gives back this nice setting to direct new start menu to a folder on you network.
If you lives in registry for windows and have tons of small fixes and is the way you work
You should give this free tool "PolicyMake Registry Extension" a try.
There a lot of third parties produced tools to make policy files but you can learn to make it self, some tools is free and make it easy to quick set up new policy.
In my link on policy you find a lot of policy files and most work under XP if its use as GPO, like this StartMenu changer http://big.park.se/files/extra/policy/files/adm/Start%20Menu%20Config/
It gives back this nice setting to direct new start menu to a folder on you network.
If you lives in registry for windows and have tons of small fixes and is the way you work
You should give this free tool "PolicyMake Registry Extension" a try.
One small warning on policy files.
If you need to change view in Gpedit to see policy setting for your object,
It is a not supported policy, in 99% it only has NO DEFAULT setting for this policy.
This means if you set policy to “Inactivated” it while destroy register value and can’t change back to what it was.
Use only “activated” or “not activated” on this object.
If you need to change view in Gpedit to see policy setting for your object,
It is a not supported policy, in 99% it only has NO DEFAULT setting for this policy.
This means if you set policy to “Inactivated” it while destroy register value and can’t change back to what it was.
Use only “activated” or “not activated” on this object.
You may use a VBScript to change the Favorites location in the registry. Provide some more details (the destination folder name is static, or that varies?) so that I can create a script for you.