Mandatory Profile registry permissions

Hello,
    I am working with mandatory profiles and have an application that requires registry settings for each user that logs on.  I have added these settings to the mandatory profile, however I am experiencing an issue with permissions on a registry key that is created for each individual user after they log onto the system.  When a user logs onto the system two new keys are created in My Computer\HKEY_USERS.  All of the keys start with S-1-5-21-775529393-4178567583-3039359604, however each of them has a unique four digit number at the end.  While one of these keys corresponds to "My computer\HKEY_CURRENT_USER" the second key doesn't appear to correspond to the HKCU.  The second key is the same as the first key with "_Classes" at the end.  The permissions on the "_Classes" key are still set to the same as they were when I first created the mandatory profile.

My question is, Where are these settings coming from?  I have loaded the mandatory profile hive into the registry and modify the registry permissions for the entire profile to be "Authenticated Users" Full control.  I would like to be able to set the permissions once and know that they will be correct for every user that logs on.  

I am investigating the use of psgetside.exe in a custom script to pipe the user SID into another command to set the permissions but that seems to be a bit complicated for what may be a simple fix.  Thanks for any assistance you can provide.
LVL 2
jmirskyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

deroodeSystems AdministratorCommented:
Keys in \HKEY_USERS aren't just created, they are actual HKEY_CURRENT_USER hives loaded for every user logging in. The key consists of the domain SID with the user "number" appended. The key with the _classes extension is the same as HKEY_CURRENT_USER\Software\Classes for that user. Make sure that that key has the correct permissions in the mandatory profile.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jmirskyAuthor Commented:
deroode,
     Thanks for the quick response and the great explanation.  Your explanation lead me down the correct path.  I had to recreate my mandatory profile with my temp user account, except this time I went into the registry while creating the profile and set "authenticated users" on the HKCU\Software\Classes key and all subkeys and now all is working.  Thank you very much for the assistance.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.