We help IT Professionals succeed at work.

Enabling regedit and disabling it again in group policy with login script

helppari
helppari asked
on
8,427 Views
Last Modified: 2011-08-18
Hello experts!

I hope the question title matches the problem accurately enough. Here's the problem:

I need to map user favorites in domain with a login script that changes the location of the favourites for each and every user from the default (documents and settings\user\etc) to a network location.

To do this I need to change a registry value with the login script (using .reg-file). The problem is, that when a user logs in and the login script runs the grop policy has the regedit disabled (which is the way it needs to be) so the reg-value cannot be changed.

Any suggestions how do I enable regedit, so that the value can be changed, and disable it again (I assume it should be done in the same login-script)? Or is there another way to do it?
Comment
Watch Question

CERTIFIED EXPERT

Commented:
Hi helppari,

You may use a VBScript to change the Favorites location in the registry. Provide some more details (the destination folder name is static, or that varies?) so that I can create a script for you.

Author

Commented:
Hey sramesh2km,

I've got the VBScript ready to do the trick, but the problem is that the person logging in is a user and because of that doesn't have the permission to edit the registry.

So I'd need to enable registry editing option for just a second so that the script can be ran and then disable it again.

Commented:
Login as administrator account before editing. The above method should solve your problem.

If you can't login as administrator, then the best thing to do would be to ask kindly for the admin to give you permission.

Hope this helps :D

Commented:
Why dont you try the RunAs Function to run the .reg as an Admin within the script. Checkout:

http://www.tek-tips.com/faqs.cfm?fid=2760

Hope it helps. I have compiled the RunAs comand with an Admin password into an EXE with Visual Basic for running loads of programs on our sight as the user logs on. Works liek a charm.
Zuhir ElgmatiApplications and Systems Administrator
CERTIFIED EXPERT

Commented:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sct/scthch04.mspx
this link talking about some tool to make restrict and allow users to do something ... actually i don't have any idea about this tool ..but meybe this tool can let you open regedit with restricted accounts

the User Restrictions tool allows you to restrict user actions. By default, users who have limited accounts cannot install software or hardware, but can run programs they download or bring with them on a USB drive—potentially causing problems on the computer. With the User Restrictions tool, you can define restrictions for Microsoft® Internet Explorer, Microsoft Office, the Microsoft Windows® XP operating system, the Start menu, and specify what software is permitted to run.
wish it help
CERTIFIED EXPERT

Commented:
>> because of that doesn't have the permission to edit the registry.

You mean, the user does not have the permission to launch Regedit.exe ? (DisableRegistryTools policy won't affect a VBScript)
Naga Bhanu Kiran KotaCloud Architecture Manager
CERTIFIED EXPERT

Commented:
hi there

the best alternative is setting the profile to the required folder u can set this in the group policy so why go for the regedit thing. only if u want the network folder location being changed dynamically every time u need a script
so try to edit the gpo and set the settings the network profile.

i mean like u set a mandatory profile to users so also u can set a profile to a group with the default location

bhanu

Author

Commented:
>>Login as administrator account before editing. The above method should solve your problem.
>>If you can't login as administrator, then the best thing to do would be to ask kindly for the admin to give you permission.

Gammarax I am the admin but the path needs to be modified in registry with every user logging in on basis of %USERNAME%.

>> You mean, the user does not have the permission to launch Regedit.exe ? (DisableRegistryTools policy won't affect a VBScript)

Exactly shramesh2k. That's what I thought as well but seems like it does. When running the script as a user a window pops up telling the regedit is disabled.

I think I'll try what Admin4XP suggested, that could be just what I'm looking for. I'll get back to you as soon as I've tried that. Thanks ya'll for posting this far!
If you have permission problems to edit the registry from login use policy to change registry.
I use this free tool "PolicyMake Registry Extension" from
http://www.desktopstandard.com/PolicyMakerRegistryExtension.aspx

inside installed location you have a small clients (polregcl.msi 700k) thats need to be installed on all computer

You have a simpel regwizard or editor from inside gpedit thats make it simple to add registry.
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Dark_King that sounds interesting. Can you elaborate on how do I "use it in GPO with gpedit"?

So I'd need the favorites folder to be mapped into network location, say "\\server\folder$\%username%".
Exemple if you have users home folder mapped to h:\   (net use h: \\server\folder$\%username%)
You can set Favorites in GPO to h:\ie6\Favorites
If you save it as exemple "folder.adm" and import it in gpedit
set filter view in gpedit to show not suported policy you while see it.
Im not sure you need to set the view, but if you not see it do that

Author

Commented:
I'm not quite sure if I know how to import files to gpedit. Do I need to do this on local machine or domain controller?

Is there a source for the code you posted (meaning this: CLASS USER, CATEGORY "ZAK Policies", CATEGORY "Windows NT" etc.)?
You can test on local but all policy in a network is set on domain controller.
I’m not a MS server guru I use novel but 100% sure MS own system work on it self to.

I’m not sure what server you using but you ask under Xp and talk about policy so I believe
you using 2003 as server, are you using AD.

You probably need to start Gpedit so it working on policy files that’s reading by clients at login.

You say “grop policy has the regedit disabled” are you locking down by setting policy local?

In Gpedit you can right click on Administrative template and ADD template to import .adm files
"Is there a source for the code you posted (meaning this: CLASS USER, CATEGORY "ZAK Policies", CATEGORY "Windows NT" etc.)?"

copy & paste to a new file

If you setting policy local now you shold ask MS guru here to help you seting upp policy in your network.

If you need policy files you can take from me, I have collected some here .adm files here.
http://big.park.se/files/extra/policy/

Author

Commented:
Imported the .adm-file to a GPO object @ domain controller linked to the desired machine group and it worked out great. Thanks for leading me into the right direction Dark_King!
When you in to this policy you while notes it’s best and simples way to control clients.
There a lot of third parties produced tools to make policy files but you can learn to make it self, some tools is free and make it easy to quick set up new policy.

In my link on policy you find a lot of policy files and most work under XP if its use as GPO, like this StartMenu changer http://big.park.se/files/extra/policy/files/adm/Start%20Menu%20Config/
It gives back this nice setting to direct new start menu to a folder on you network.

If you lives in registry for windows and have tons of small fixes and is the way you work
You should give this free tool "PolicyMake Registry Extension" a try.
One small warning on policy files.

If you need to change view in Gpedit to see policy setting for your object,
It is a not supported policy, in 99% it only has NO DEFAULT setting for this policy.
This means if you set policy to “Inactivated” it while destroy register value and can’t change back to what it was.
Use only “activated” or “not activated” on this object.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.