Knowledge Partner
Knowledge Partner
914 views

Setting rights on HKCU

Hi,
background first:
the shop is on OES11SP3 and ZCM11.3.2FTF1, they try to communicate via exchange and outlook 2010. WS are NOT domain members, they're using ZCM DLU and roaming profile policies which work fine in and out of themselves. as long as it doesn't come to outlook...
for all ordinary user accounts (without local admin rights) it's the first box they're logging in which "wins", i.e. user logs into PCA, gets his (properly prepared) initial profile pulled down, starts outlook and gets his mapi profile created. now when he shuts down PCA, logs into PCB he can't start outlook. as the mapi profile creation on PCA has changed relevant registry rights for
hkcu\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
on the "Windows Messaging Subsystem" level things are still allright, i.e. we still have full control for everyone and inheritance. this stops at the "Profiles" level which cannot be accessed without admin rights.
thought about something like
setacl -on "hkcu\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem" -ot reg -actn rstchldrn -rst "dacl"
to reset everything to defaults. the problem is that neither the "system" nor a temporary admin account can hit the desired hive as "system" has no idea of a "current user" and for a dynamic admin the current user is the dynamic admin himself.
i've tried to start with an action which adds to user to the administrators group. basically this works fine but in order to bring the elevated rights into effect it requires a new login.

any ideas on how to handle this? or even better: any suggestions on how to bring outlook 2010 and ZCM DLU/roaming profiles together?

thx,
mb
Labels (2)
0 Likes
2 Replies
Knowledge Partner
Knowledge Partner

Re: Setting rights on HKCU

mathiasbraun;2400446 wrote:
Hi,
background first:
the shop is on OES11SP3 and ZCM11.3.2FTF1, they try to communicate via exchange and outlook 2010. WS are NOT domain members, they're using ZCM DLU and roaming profile policies which work fine in and out of themselves. as long as it doesn't come to outlook...
for all ordinary user accounts (without local admin rights) it's the first box they're logging in which "wins", i.e. user logs into PCA, gets his (properly prepared) initial profile pulled down, starts outlook and gets his mapi profile created. now when he shuts down PCA, logs into PCB he can't start outlook. as the mapi profile creation on PCA has changed relevant registry rights for
hkcu\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
on the "Windows Messaging Subsystem" level things are still allright, i.e. we still have full control for everyone and inheritance. this stops at the "Profiles" level which cannot be accessed without admin rights.
thought about something like
setacl -on "hkcu\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem" -ot reg -actn rstchldrn -rst "dacl"
to reset everything to defaults. the problem is that neither the "system" nor a temporary admin account can hit the desired hive as "system" has no idea of a "current user" and for a dynamic admin the current user is the dynamic admin himself.
i've tried to start with an action which adds to user to the administrators group. basically this works fine but in order to bring the elevated rights into effect it requires a new login.

any ideas on how to handle this? or even better: any suggestions on how to bring outlook 2010 and ZCM DLU/roaming profiles together?

thx,
mb


Doesn't the Registry edit action handle this situation:

Run Action As

Specify how you want the action to run:

System: The action is run under the Local System user and inherits Administrator-level credentials. For example, the action has full rights to the HKEY_LOCAL_MACHINE hive.

Select the Apply HKEY_CURRENT_USER changes to the logged in user's hive instead of .DEFAULT option to enable the changes to be made in the user’s hive instead of the DEFAULT hive of HKEY_USERS.


https://www.novell.com/documentation/zenworks113/zen11_cm_software_distribution/data/bagi8rl.html

Thomas
0 Likes
Knowledge Partner
Knowledge Partner

Re: Setting rights on HKCU

this would certainly do it for an "ordinary" edit, but i have to reset rights with an external executable (setacl). as a quickshot i've made an action which identifies the HKEY_USER hive of the logged in user and pipes it to a file. another action grabs the value and sets the rights (as system). pretty dirty, but apparently functional.
nevertheless i'm still wondering about outlook's behaviour in many aspects (saving / not saving credentials, manipulating registry rights a.s.o.).
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.