Mandatory Profile registry permissions

Posted on 2009-07-08
Medium Priority
Last Modified: 2013-11-21
    I am working with mandatory profiles and have an application that requires registry settings for each user that logs on.  I have added these settings to the mandatory profile, however I am experiencing an issue with permissions on a registry key that is created for each individual user after they log onto the system.  When a user logs onto the system two new keys are created in My Computer\HKEY_USERS.  All of the keys start with S-1-5-21-775529393-4178567583-3039359604, however each of them has a unique four digit number at the end.  While one of these keys corresponds to "My computer\HKEY_CURRENT_USER" the second key doesn't appear to correspond to the HKCU.  The second key is the same as the first key with "_Classes" at the end.  The permissions on the "_Classes" key are still set to the same as they were when I first created the mandatory profile.

My question is, Where are these settings coming from?  I have loaded the mandatory profile hive into the registry and modify the registry permissions for the entire profile to be "Authenticated Users" Full control.  I would like to be able to set the permissions once and know that they will be correct for every user that logs on.  

I am investigating the use of psgetside.exe in a custom script to pipe the user SID into another command to set the permissions but that seems to be a bit complicated for what may be a simple fix.  Thanks for any assistance you can provide.
Question by:jmirsky
LVL 19

Accepted Solution

deroode earned 2000 total points
ID: 24803184
Keys in \HKEY_USERS aren't just created, they are actual HKEY_CURRENT_USER hives loaded for every user logging in. The key consists of the domain SID with the user "number" appended. The key with the _classes extension is the same as HKEY_CURRENT_USER\Software\Classes for that user. Make sure that that key has the correct permissions in the mandatory profile.

Author Comment

ID: 24804175
     Thanks for the quick response and the great explanation.  Your explanation lead me down the correct path.  I had to recreate my mandatory profile with my temp user account, except this time I went into the registry while creating the profile and set "authenticated users" on the HKCU\Software\Classes key and all subkeys and now all is working.  Thank you very much for the assistance.  

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
Learn about cloud computing and its benefits for small business owners.
The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…
Through the video, you can check the migration process of Outlook PST file to PDF. Kernel for Outlook to PDF tool can convert Outlook emails with all attributes like Subject, To, From, Cc, Bcc and other folders such as Inbox, Outbox, Sent Items, Jun…

587 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question