RDS profile settings with Framework

Thank you, I will ask the vendor what registry keys need isolation, now how do I isolate keys with full control?

Unfortunately, this is all I received from support department.

Framework writes to the HKEY_Users
Framework reads from HKEY Current Users

My question is simply this however, why don't I have any specific application registry keys that I can permit full control to? The only way I believe I could allow for users to  get information from the Hkey_users hive to hkey_current_users hive is to:  1) allow them as a local administrator, make changes to registry, and then revoke local admin  privilege

If I'm understanding the question, once you know which key to modify, you can open your registry editor and either select EDIT / PERMISSIONS from the top menu or simply right-mouse click the key and select PERMISSIONS.  At the permissions dialog box, add the user or group if necessary, and choose FULL CONTROL.

Hmm.  I don't know if I'd believe that.  I'd do a search for Framework (or is it FrameworkLTC) on the registry in HKLM and HKU to see what shows up.  Then I'd systematically try making changes to the key until I find what works.  It could be a long process and you'd definitely need to make a backup of your registry before starting.

This is a production environment. I'm thinking... one user is a local admin, the owner of the company (because he wants to restart when he wants)... so I can see what registry keys represent the FWLTC UI settings changes and then address that way. But I don't know how to access each respective current user hive without local admin to apply full control...

when I look in HKEY_User, each respective SID has the user in permissions with full control already. so I don't understand why it's not getting to HKEY_Current_User

Was there a FWLTC key in the HKCU/Software Key?  If so, verify that that user has full control permissions (you never know).  Otherwise, I would suspect it's actually in the HKLM/Software list.

OK, so here is the official email I requested from support. and with that shown, I would assume that I can use PROCMON to figure out what Reg KEYS are being accessed by the user with local admin? and then apply full control to the RDS user group on the specific reg keys?

Official response:
Hello,

Regarding the registry, HKEY_CURRECT_USER (Referred to as HKCU) and HKEY_USERS (HK_USERS) are almost the same directory tree.
When a user signs onto a computer, that computer reaches into HK_USERS and copies (using their SID, securityID) their settings into HKCU.  When something is changed in HKCU it is then updated in HK_USERS.

All users should have access to their own HKCU to update settings that are stored in HK_USERS.

The incident number that corresponds to this is xxxxxx

Thank you,

exactly

OK, that helped me understand Windows Registry and then I come to find out that it didn't work anyway. (meaning it wasn't a local admin vs not, or have anything to do with reg key access as I was led to believe by FWLTC support)

I ended up installing the printer I needed locally on the RDS server. Now with selecting the local printer from the FWLTC UI, it retains that setting as it should.

Now I'm thinking that this whole issue is because the RDS server and Print Server (hosted from the file server) have some type of issue.

To wrap this up, since I have one RDS server and not a collection of them, I can eliminate the Print Server with isolated drivers, just locally install the network printers on the RDS server for everyone to use. I just hope this doesn't cause print spooler failures that driver isolation from a print server may reduce the risk of.

Any thoughts on this idea and environment change?

BigRMV and David Johnson, you guys rock, thanks!