Mandatory Profile registry permissions
Posted on 2009-07-08
I am working with mandatory profiles and have an application that requires registry settings for each user that logs on. I have added these settings to the mandatory profile, however I am experiencing an issue with permissions on a registry key that is created for each individual user after they log onto the system. When a user logs onto the system two new keys are created in My Computer\HKEY_USERS. All of the keys start with S-1-5-21-775529393-4178567583-3039359604, however each of them has a unique four digit number at the end. While one of these keys corresponds to "My computer\HKEY_CURRENT_USER" the second key doesn't appear to correspond to the HKCU. The second key is the same as the first key with "_Classes" at the end. The permissions on the "_Classes" key are still set to the same as they were when I first created the mandatory profile.
My question is, Where are these settings coming from? I have loaded the mandatory profile hive into the registry and modify the registry permissions for the entire profile to be "Authenticated Users" Full control. I would like to be able to set the permissions once and know that they will be correct for every user that logs on.
I am investigating the use of psgetside.exe in a custom script to pipe the user SID into another command to set the permissions but that seems to be a bit complicated for what may be a simple fix. Thanks for any assistance you can provide.