There's a myriad of ways to access the registry - regedit, reg.exe, powershell, vbscript. I think I'd allow regedit to run and rely on the perms in the registry to prevent the mucking around. Otherwise, you end up hurting yourself more than the bad guys. This issue is a perfect example.
-----Original Message----- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Wednesday, September 14, 2011 11:04 AM To: NT System Admin Issues Subject: RE: Default user runonce Wooo, you are of course right. Bet I have a software or gpo restricting something else causing this. Regedit for example. -----Original Message----- From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Wednesday, September 14, 2011 12:02 PM To: NT System Admin Issues Subject: RE: Default user runonce If its hitting the current user hive, you shouldn't need to run elevated. -----Original Message----- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Wednesday, September 14, 2011 10:46 AM To: NT System Admin Issues Subject: RE: Default user runonce We are in a bit of a pickle and digging out. Our Image creator copied a set up user to the default profile in windows 7 the way he has always done it without checking on how bad that is in Win 7. Then he ran around and imaged a ton of machines without doing any decent testing. I will deal with him later, and it won't be pretty. There are 15 or 20 borked settings. Most importantly it borks the Documents Library. Fixable via a Kix script I have. That script needs to RunOnce as the user logs in the first time...the script hits the Current User hive. Actually very cool. So a runonce in the Default hive and it runs as it loads for the newly logged in user. -----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, September 14, 2011 11:25 AM To: NT System Admin Issues Subject: Re: Default user runonce On Wed, Sep 14, 2011 at 10:54 AM, Kennedy, Jim <kennedy...@elyriaschools.org> wrote: > If I put a RunOnce key into the Default user profile (Windows 7) to > call a bat file, that bat file will run under the newly logging in > user and it will run under their credentials? So if I need to elevate > it I need to do a runas? More-or-less correct. What are you trying to accomplish? You nominally only need elevated privileges to modify the system configuration, and you normally only need to modify the system configuration once per machine, so doing it once per user seems wrong. There may be better approaches. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
