How to: grant specific group of users to add/change registry on their local machine

Discussion in 'Active Directory' started by Fabio Martins, Aug 2, 2007.

  1. Hi everybody.

    What's the best practice to grant a specific user group to add/change
    registry on their local machine?

    Thakyou in advance.
     
    Fabio Martins, Aug 2, 2007
    #1
    1. Advertisements

  2. Forgot to say that this user group and users are into AD.
     
    Fabio Martins, Aug 2, 2007
    #2
    1. Advertisements

  3. Fabio Martins

    G Johansson Guest

    Unless you tell us which specific parts of the registry then you need to be
    local admin on the PC to be able to edit all info.
     
    G Johansson, Aug 2, 2007
    #3
  4. Thankyou for answering.

    We Have a user group, lets call GROUP1.
    Users into GROUP1 have to have the same permissions as Admin Users (the
    GROUP1 users alread are members of the Admin Users) plus permissions to
    create and change keys under HKEY_LOCAL_MACHINE\SOFTWARE in their
    workstations.

    Can I customize it?
     
    Fabio Martins, Aug 2, 2007
    #4
  5. Fabio Martins

    G Johansson Guest

    Using a GPO for this would be the best since it's only a limited part of the
    registry that they need access to.
    Open up a new domain-GPO and you can find this at Security.
     
    G Johansson, Aug 2, 2007
    #5
  6. I logged as administrator, opened the ad users and computers console, I
    created an OU for testing, inside this OU I created a single user, right
    click on this OU, properties, Group Policy, New GPO, Edit.
    Into police editor, went to Computer Configuration | Windows Settings |
    Security Settings | Registry. Right click on the blank panel, Add Key,
    browsed to MACHINE\SOFTWARE, OK. In Database Security for MACHINE\SOFTWARE
    I added the user "abc" inside OU I created for testing and give Full
    Control. Clicked on Advanced, in Permissions tab I doubled click on user
    "abc", confirmed all permissions were checked and "apply in this key and all
    subkeys" was selected. OK | OK | OK | OK and appeared a box "Add Object" and
    I set up "Configure the key then" and "Propagate inheritable permissions to
    all sub keys", OK, closed the GP editor.Closed the properties of OU.

    Went to a WinXP workstation, rebooted, logged as "abc" and tried to change
    some information on registry, create some key or delete some trash but
    allways got the message: Impossible to create the key: error to open
    Software KEY.

    I use Portuguese version, may some messages i wrote here have some
    diferences in translation, but I guess it's fine to understand.

    Thankyou again in advance.
     
    Fabio Martins, Aug 3, 2007
    #6
  7. I typed gpresult on workstation and it showed me that the policy I was
    modifying have been filtered.
    What does it mean?
    So, how it was running the Default Domain policy I did the same procedure on
    Default Domain Policy, and it worked!

    But I don't want to do that, I don't want to change the Default Domain
    Policy.

    Thankyou again.
     
    Fabio Martins, Aug 3, 2007
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.