In our environment we use a kiosk style machine that automatically logs in as a local user account. I realized when trying to deploy a java app recently that this user somehow does not have rights to hkcu/software/classes. After trying a couple of different solutions I decided SUBINACL.exe would be the best bet to resolve this. Unfortunately when I run Subinacl on HKCU (I run it as a local administrator or system with the problem account logged in)it skips over the CLASSES key. The only way I can make it work is to make the problem account a local administrator and then run subinacl. I've also tried the SETACL.EXE command with similar outcomes. Does anybody have a better way to do this?