Registry - HKLM_CURRENT_USER Win2K

[zrocule642]

Hello all,

I just signed up to this site as I am in need of some suggestions. I like to believe I know plenty about all the MS Operating Systems, but this one has me stumped. It has to do with the registry. I'll explain what the goal of my project is and what I accidentally did to lock myself from editing parts of the registry. I'm working with our Network admin at our company (can't say which one in general forums) in trying to set up a Windows 2003 Server that will basically be ONLY used as a Terminal Server/Remote Desktop Server.

We currently have 200+ Machines that are "FITs- Factory Information Terminals" that each have their own NT4 Operatiing system, their own desktop, they're own settings.. and that's all locked down decently tight. We're changing that. Instead of having to manage 200+ machines with scripting every time a change needs to be made, we're going to go BIG. Here's the proposed plan:

2 very fast servers. Quad 3+ghz processors, 4gb of RAM, blah blah blah.. All 200+ of the FITs will be re-imaged with Win2K locked down COMPLETELY. The local machine will, in essence... be non-existant as far as the user is concerned.

Currently I have the default shell for the FITUSER (i'll call the user FITUSER for these purposes) account set to Remote Desktop Client. I also have the system automatically set to log on as DOMAIN\fituser... upon which it logs in automatically to Remote Desktop. If you log out of remote desktop, it logs you back in. Same with pressing CTRL+ALT+DEL and logging off. It'll log you off, back in.. and re-connect to the Remote Desktop server. Only 2 Users have access to log in at all. Policy says so. FITUSER, and the administrator on the box. All other domain accounts will be rejected by the Group Policy.

Here's where I went wrong. I also disabled task manager for FITUSER only. That, in essence has disabled my ability to make any changes to the registry for FITUSER. The settings for the shell are user-specific, so any other user that logs on wont get Remote Desktop, only FITUSER. So how in the heck to I get into the registry to modify HKLM_Current_User when I can't even GET to the regedit or anything else for that matter... on the local machine? I need a way to execute the registry editing abilites on the local machine, without the use of a graphical interface. There's no task manager, there's no explorer.exe shell, all I get is Remote Desktop. Is there some Daemon that can run to give me a shortcut key combo to start regedit without Explorer.exe running? I'm really stumped here.

Confused yet? I'm making the image/template for all the pc's so once I get this one pc perfect, it'll get deployed across them all. I just need a way to remove the "disable task manager" from the registry if I ever intend on making changes on the local machines settings for FITUSER.

Please respond with any comments. I'm stumped. I've been looking all over Microsofts Knowledgebase and can't find anything.

Thanks!

[Scott Tiger]

These machines will be networked so why can't you just make changes to the registry from another machine? I can't find a way to make gpedit.msc work in XP for another computer but I'd hope that there are admin tools in 2003 Server for such purposes. This is just a stab here - I could be way off base. We're still using NT 4.0 for servers in my domain at work. No AD yet.

[zrocule642]

The machine is networked. BUT, when you do a "Connect to Remote Registry" from Regedit, you do not get the [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System] section listed. It's like you can only modify that from the local machine.

I even tried writing a registry key, saving it to the c:\ and setting the CurrentVersion\RUN to run that registry key. It does nothing.


Brian: Still against a wall. Dont want to start over.

[Scott Tiger]

But does Server 2003 come with better remote admin tools than remote registry?

Surely there's some way to run gpedit.msc remotely.. but I'm just waxing poetically here (to put it nicely).

Wait for PJ, DVNT1, or Evil Rick to offer some suggestions.. I just don't have much experience trying to do something like this.

[zrocule642]

Maybe as part of the Windows 2003 Resource Kit. I'm downloading that now. I'm good at the whole OS thing, but I just recently dove into making registry changes that actually limit users. I've made changes to fix things, but I've never thought I'd lock myself out of editing something. Go me!

I guess I'm not sure how running the group policy thing remotely would help. The problem is, I didn't Use the policy editor to remove the task manager for FITUSER. I just went into the registry and made an entry (DisableTaskMgr = 1)

I'm looking on the web right now, but I dont personally know of any way to run the group policy remotely.


Brian: Wishing he would have stayed home today.

[zrocule642]

Wow.. I just got it.

In Server 2003, I used Connect to Remote Registry and it asked me for the login information for someone that had permission. I gave it the FITUSER ID and it worked. I was able to see the right stuff.

I feel kind of ignorant for not trying the set of new tools first, but even the basic tools in SVR 2003 work better.

I'll be posting a new topic about Making it not prompt for a proxy username/password in a sec. That i've been working on for a week now with no luck.


Brian

[Scott Tiger]

So even if you locked FITUSER out of editting something why not just use the local Administrator account to fix it? You should be able to do that locally with no problems.

I'm not sure I understand how you're locked out. Sounds like the worst thing here would be to create a new user profile. Is this what you're trying to avoid?


EDIT: Glad to hear you got it working..

[zrocule642]

Yes. I do not want to create a new user profile. Fact is.... I'm going to lock it down, including removing the remote-registry service. These machines have minimal services running.

The reason I can't log on as the local administrator and change the HKLM_Current_User... is because of the name. It's the "Current User" that's logged in. That part of the registry changes for each user.


BUT, as i'm reading this. I'm realizing how stupid of a question this has been. In the registry there is a CURRENT_USER section, but there's also HKEY_USERS And then their SSID is listed. I could've done it as the local admin all along!!!!


Brian: Kicking himself right now. (but always learning)

[cadetstimp]

The Domain Admins group usually has default admin access to any PC that is part of the domain.....anyone with domain access rights could login or connect to the registry remotely to fix the problem.