Group Policy to allow users to write to Registry

[Don Lewis]

My questions is simple but the answer is vital. We're
migrating to a Windows-centric domain from a NetWare
domain. For the most part, our PCs run Windows XP & our
servers run Windows 2000 Advanced Server. Our ERP
software requires that users be able to write to the
Registry. Of course, by default, users don't have those
rights & we don't want to give them Local Administrator
rights to the entire workstation. Therefore, how do I set
a Group Policy to allow users Local Administrator or
similar rights to write to the Registry for just one
application.

PS: The application is, at least for the time being, on a
NetWare server. The users have a Shortcut on their
desktop which points to the executable via a mapped drive.

 

[John]

Hello Don,

Here is the path in a GPO to setting permissions on registry keys.

Registry
Computer Configuration\Windows Settings\Security Settings\Registry

Description
Allows an administrator to define access permissions (DACLs) and audit
settings (SACLs) for registry keys.

Note
The Registry folder is available only in Group Policy objects associated
with domains, OUs, and sites. The Registry folder does not appear in the
Local Computer Policy object.


It might be dangerous to give users wide open perms to the registry. Have
you considered using regmon.exe from sysinternals to find out what parts of
the registry the user is accessing and then set perms on only that. Or if
there is a client side piece that needs to be installed compare the registry
before and after you install that piece. That's my $.02.

Good luck