Re: HKCU permissions change via GPO?

2011-09-08 Thread kz20fl
I will second that, specific GPOs are better than massive ones for 
troubleshooting and management.

Sent from my POS BlackBerry  wireless device, which may wipe itself at any 
moment

-Original Message-
From: Webster 
Date: Thu, 8 Sep 2011 19:35:17 
To: NT System Admin Issues
Reply-To: "NT System Admin Issues" 
Subject: RE: HKCU permissions change via 
GPO?

What is wrong with GPOs?  GPOs and GPPs are the way to go for most things.  I 
prefer specific purpose GPOs and not huge monolithic GPOs.

Carl Webster
Consultant and Citrix Technology Professional
http://www.CarlWebster.com<http://www.carlwebster.com/>


From: Bernard, Norm [mailto:norm.bern...@nrc-cnrc.gc.ca]
Subject: RE: HKCU permissions change via GPO?

We are trying hard to get away from GPO's as the previous AD guy had over 350 
separate GPO's  :( I've been trying to clean them up for months now.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


Re: HKCU permissions change via GPO?

2011-09-08 Thread kz20fl
You could use a login script using reg.exe, but GPO is the best way. Tidy them 
up, yes, but dismissing them as a management tool is not good. I save a hell of 
a lot of time and grief with GPOs.

Sent from my POS BlackBerry  wireless device, which may wipe itself at any 
moment

-Original Message-
From: "Bernard, Norm" 
Date: Thu, 8 Sep 2011 11:10:27 
To: NT System Admin Issues
Reply-To: "NT System Admin Issues" 
Subject: HKCU permissions change via GPO?

Hello Folks

What I need to do is change the permissions on all system's HKCU (or all user 
hives if possible!). Specifically I need to change HKCU\Software\Policies\ 
permissions to allow current user the right to create/edit sub keys/values

I am currently trying to use SCCM to push out a registry fix for Excel 2003  
(The reg file contains the following, and I have created an SCCM package that 
TRIED to apply the registry fix, but it appears that there is a permissions 
issue - confirmed by manually trying to apply the reg file at the local machine 
with the logged on user account:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Excel]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Excel\Security]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Excel\Security\FileValidation]
"EnableOnLoad"=dword:
Any help would be appreciated!

Kindest Regards,

Norm Bernard,
Systems Administrator / Administrateur Système
tel/tél: 604-221-3023| facsimile/télécopieur: 604-221-3001 | 
norm.bern...@nrc-cnrc.gc.ca
NRC Institute for Fuel Cell Innovation | 4250 Wesbrook Mall, Vancouver, B.C. 
V6T 1W5
Institut d'innovation en piles à combustible du CNRC | 4250 Wesbrook Mall, 
Vancouver (C.-B.) V6T 1W5
Government of Canada | Gouvernement du Canada




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


RE: HKCU permissions change via GPO?

2011-09-08 Thread Crawford, Scott
Well, when you get to the GPO that's making this setting, remove it and the 
setting will go away without modifying the registry...that's (one of) the 
beauty (^Hies) of GPOs.

The RSOP tool in GPMC will be able to show you which GPO is setting that.

From: Bernard, Norm [mailto:norm.bern...@nrc-cnrc.gc.ca]
Sent: Thursday, September 08, 2011 2:23 PM
To: NT System Admin Issues
Subject: RE: HKCU permissions change via GPO?

We are trying hard to get away from GPO's as the previous AD guy had over 350 
separate GPO's  :( I've been trying to clean them up for months now.

Kindest Regards,

Norm Bernard,
Systems Administrator / Administrateur Système
tel/tél: 604-221-3023| facsimile/télécopieur: 604-221-3001 | 
norm.bern...@nrc-cnrc.gc.ca<mailto:norm.bern...@nrc-cnrc.gc.ca>
NRC Institute for Fuel Cell Innovation | 4250 Wesbrook Mall, Vancouver, B.C. 
V6T 1W5
Institut d'innovation en piles à combustible du CNRC | 4250 Wesbrook Mall, 
Vancouver (C.-B.) V6T 1W5
Government of Canada | Gouvernement du Canada

From: Damien Solodow 
[mailto:damien.solo...@harrison.edu]<mailto:[mailto:damien.solo...@harrison.edu]>
Sent: Thursday, September 08, 2011 11:12 AM
To: NT System Admin Issues
Subject: RE: HKCU permissions change via GPO?

You'd be better off using the Excel ADM file in the GPO to make that change 
directly. :) Good rule of thumb is if it's under Software\Policies, it's 
configurable via a GPO with an ADM file. :)

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: Bernard, Norm 
[mailto:norm.bern...@nrc-cnrc.gc.ca]<mailto:[mailto:norm.bern...@nrc-cnrc.gc.ca]>
Sent: Thursday, September 08, 2011 2:10 PM
To: NT System Admin Issues
Subject: HKCU permissions change via GPO?

Hello Folks

What I need to do is change the permissions on all system's HKCU (or all user 
hives if possible!). Specifically I need to change HKCU\Software\Policies\ 
permissions to allow current user the right to create/edit sub keys/values

I am currently trying to use SCCM to push out a registry fix for Excel 2003 
(The reg file contains the following, and I have created an SCCM package that 
TRIED to apply the registry fix, but it appears that there is a permissions 
issue - confirmed by manually trying to apply the reg file at the local machine 
with the logged on user account:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Excel]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Excel\Security]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Excel\Security\FileValidation]
"EnableOnLoad"=dword:
Any help would be appreciated!

Kindest Regards,

Norm Bernard,
Systems Administrator / Administrateur Système
tel/tél: 604-221-3023| facsimile/télécopieur: 604-221-3001 | 
norm.bern...@nrc-cnrc.gc.ca<mailto:norm.bern...@nrc-cnrc.gc.ca>
NRC Institute for Fuel Cell Innovation | 4250 Wesbrook Mall, Vancouver, B.C. 
V6T 1W5
Institut d'innovation en piles à combustible du CNRC | 4250 Wesbrook Mall, 
Vancouver (C.-B.) V6T 1W5
Government of Canada | Gouvernement du Canada




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: HKCU permissions change via GPO?

2011-09-08 Thread Ben Scott
On Thu, Sep 8, 2011 at 2:10 PM, Bernard, Norm
 wrote:
> What I need to do is change the permissions on all system’s HKCU (or all
> user hives if possible!). Specifically I need to change
> HKCU\Software\Policies\ permissions to allow current user the right to
> create/edit sub keys/values

(1) Users aren't allowed to make changes under HKCU\Software\Policies
for good reason.  A lot of sensitive configuration stuff lives under
there.  Opening it up to everyone would be a significant security
exposure.

(2) Even if you did, certain Group Policy operations can wipe out the
changes you made there.

(3) Damien Solodow is on the right track: The correct way to
manipulate stuff under HKCU\Software\Policies is with Active Directory
Group Policy.  The Office Resource Kit (a free download from
Microsoft) has ADM files you can load into the Group Policy Editor to
give you access to all the Excel customization knobs.

(4) As far as your "getting away from GPOs" goes, I think you're
throwing the baby out with the bathwater.  Huge numbers of
poorly-organized, poorly-documented GPOs are bad, sure.  That doesn't
mean you can't have a well-documented, structured set of GPOs for your
organization's needs.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



RE: HKCU permissions change via GPO?

2011-09-08 Thread Webster
What is wrong with GPOs?  GPOs and GPPs are the way to go for most things.  I 
prefer specific purpose GPOs and not huge monolithic GPOs.

Carl Webster
Consultant and Citrix Technology Professional
http://www.CarlWebster.com<http://www.carlwebster.com/>


From: Bernard, Norm [mailto:norm.bern...@nrc-cnrc.gc.ca]
Subject: RE: HKCU permissions change via GPO?

We are trying hard to get away from GPO's as the previous AD guy had over 350 
separate GPO's  :( I've been trying to clean them up for months now.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: HKCU permissions change via GPO?

2011-09-08 Thread Bernard, Norm
We are trying hard to get away from GPO's as the previous AD guy had over 350 
separate GPO's  :( I've been trying to clean them up for months now.

Kindest Regards,

Norm Bernard,
Systems Administrator / Administrateur Système
tel/tél: 604-221-3023| facsimile/télécopieur: 604-221-3001 | 
norm.bern...@nrc-cnrc.gc.ca
NRC Institute for Fuel Cell Innovation | 4250 Wesbrook Mall, Vancouver, B.C. 
V6T 1W5
Institut d'innovation en piles à combustible du CNRC | 4250 Wesbrook Mall, 
Vancouver (C.-B.) V6T 1W5
Government of Canada | Gouvernement du Canada

From: Damien Solodow [mailto:damien.solo...@harrison.edu]
Sent: Thursday, September 08, 2011 11:12 AM
To: NT System Admin Issues
Subject: RE: HKCU permissions change via GPO?

You'd be better off using the Excel ADM file in the GPO to make that change 
directly. :) Good rule of thumb is if it's under Software\Policies, it's 
configurable via a GPO with an ADM file. :)

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: Bernard, Norm 
[mailto:norm.bern...@nrc-cnrc.gc.ca]<mailto:[mailto:norm.bern...@nrc-cnrc.gc.ca]>
Sent: Thursday, September 08, 2011 2:10 PM
To: NT System Admin Issues
Subject: HKCU permissions change via GPO?

Hello Folks

What I need to do is change the permissions on all system's HKCU (or all user 
hives if possible!). Specifically I need to change HKCU\Software\Policies\ 
permissions to allow current user the right to create/edit sub keys/values

I am currently trying to use SCCM to push out a registry fix for Excel 2003 
(The reg file contains the following, and I have created an SCCM package that 
TRIED to apply the registry fix, but it appears that there is a permissions 
issue - confirmed by manually trying to apply the reg file at the local machine 
with the logged on user account:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Excel]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Excel\Security]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Excel\Security\FileValidation]
"EnableOnLoad"=dword:
Any help would be appreciated!

Kindest Regards,

Norm Bernard,
Systems Administrator / Administrateur Système
tel/tél: 604-221-3023| facsimile/télécopieur: 604-221-3001 | 
norm.bern...@nrc-cnrc.gc.ca<mailto:norm.bern...@nrc-cnrc.gc.ca>
NRC Institute for Fuel Cell Innovation | 4250 Wesbrook Mall, Vancouver, B.C. 
V6T 1W5
Institut d'innovation en piles à combustible du CNRC | 4250 Wesbrook Mall, 
Vancouver (C.-B.) V6T 1W5
Government of Canada | Gouvernement du Canada




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: HKCU permissions change via GPO?

2011-09-08 Thread Damien Solodow
You'd be better off using the Excel ADM file in the GPO to make that change 
directly. :) Good rule of thumb is if it's under Software\Policies, it's 
configurable via a GPO with an ADM file. :)

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: Bernard, Norm [mailto:norm.bern...@nrc-cnrc.gc.ca]
Sent: Thursday, September 08, 2011 2:10 PM
To: NT System Admin Issues
Subject: HKCU permissions change via GPO?

Hello Folks

What I need to do is change the permissions on all system's HKCU (or all user 
hives if possible!). Specifically I need to change HKCU\Software\Policies\ 
permissions to allow current user the right to create/edit sub keys/values

I am currently trying to use SCCM to push out a registry fix for Excel 2003 
(The reg file contains the following, and I have created an SCCM package that 
TRIED to apply the registry fix, but it appears that there is a permissions 
issue - confirmed by manually trying to apply the reg file at the local machine 
with the logged on user account:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Excel]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Excel\Security]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Excel\Security\FileValidation]
"EnableOnLoad"=dword:
Any help would be appreciated!

Kindest Regards,

Norm Bernard,
Systems Administrator / Administrateur Système
tel/tél: 604-221-3023| facsimile/télécopieur: 604-221-3001 | 
norm.bern...@nrc-cnrc.gc.ca
NRC Institute for Fuel Cell Innovation | 4250 Wesbrook Mall, Vancouver, B.C. 
V6T 1W5
Institut d'innovation en piles à combustible du CNRC | 4250 Wesbrook Mall, 
Vancouver (C.-B.) V6T 1W5
Government of Canada | Gouvernement du Canada




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin