Hello Everyone. Hope someone can chat about somethings i am trying to do
using registry keys and ntuser.dat file.

first issuse:

i need to apply restrictions through GPO to a specific local user in windows
xp. I am doing the following:

1. Changes to local GPO using gpedit.msc;
2. Saving Hkey_current_user registry to NTuser.dat file;
3. deploy the dat file to user profile i want the restrictions.

'til here everything is fine. I have the desired result.

This works fine in windows XP but In a specific computer is not working
properly, not all the restrictions are applied to the user only a few. So
when i look to the hkey_current_ser registry, all the settings are ok, so all
the restrictions should be applied not just some of them.

Is there a way to discover why this is happening?

Second Issue:

The steps above are applied to windows vista? I tried but it failed.
The NTUSER.DAT file in windows vista has the same functions that in windows

I writing this here because NTUSER files are registry. HOpe someone can help

Thanks in advance.

Jon Wallace

Hi Maurit,

I believe I understand your post / questions correctly so want to highlight
a few things for you. Firstly the NTUSER.DAT file within a users profile is
actually their HKEY_CURRENT_USER hive - I think you know this already
because of the copying exercise. This file is mapped when the user logs
onto a machine and becomes HKCU - see

One of the potential issues in doing what you are doing (saving
HKEY_CURRENT_USER to NTUSER.DAT file and then copying it) is that the
HKEY_CURRENT_USER you are saving will contain personal settings specific for
the user you are copying it from, everything from application settings to
security settings and so fourth. Unless you then go back and remove all of
those settings you can potentially cause yourself a little pain and trouble
down the line. Why is it you use this method - are you trying to deploy
various 'default' settings to users?

I may be mistaken but it appears you are using this method to apply policy
settings, basically baking the policy settings into the NTUSER.DAT file
(HKEY_CURRENT_USER) and then copying this to your users to enforce the
restrictions - is this the case? Is there any reason you can't actually
create a group policy on the domain and have that apply to your machines?

It's also worth nothing that there are many policy settings that can be
applied at a machine level (HKEY_LOCAL_MACHINE) and also a user level
(HKEY_CURRENT_USER) and it is possible that although you are setting a
policy registry value in HKEY_CURRENT_USER it's being overridden by another
policy set somewhere else.

Obviously I (we) would like to help you achieve what you want here so if you
can try to explain what your trying to do and why you are doing your
registry save (and how) and deploying the NTUSER.DAT file it would be a
really good start.

With Best Regards,



Hi Jon. I really aprreciate your post. So, let's go:

1. I do know that HKEY_CURRENT_USER is the NTUSER.DAT file.

2. I really know about the issues you mentioned. My goal here is to create a
profile that the user is not capable of doing anything. This profile will be
used to aplly some internal exams and nothing more.

3. Yes. I want to enforce the policies i created. Unfortunately, i will
apply this profile to computers that are not part of a domain. So, this was
the only way i found to apply to a specific local user. I can not affect
other local users in the computer.

So basicly i have to apply a restricted profile to a computer that is not a
part of domain and i can not affect other local users. I can say tha
everything is working pretty good the way i created this.

After creating all the local policies through gpedit.msc. I save the
HKEY_CURRENT_SER to NTUSER.DAT. I use this command line: reg save

I create a local user account and put it in admin group. (if the user is not
part of this group, the policies are not applied. I really dont understand
this one)

Then i discover the SID from the new user and create a registry in
HKLM\...\ProfileList. Doing this i am saying to windows that the profile of
this user already exists and windows will not try to create a new one.

Finally i create the profile directory and put the NTUSER.DAT i created
inside of it. I still rename this file from NTUSER.DAT to NTUSER.MAN. It is a
mandatory profile.

When i logon to this specific user, my policies are applied. that's what i

I tested this in 6 computers. In only one just a part of the policies were
applied. You can be right, it can be machine policy. I will take a look on

So far i can say that it is successful in windows XP. I need to test in more

Now, i am trying to do the same thing in windows Vista. When i try to logon,
it comes back to welcome screen. I just discovered that this occur because
UAC is ON. When i turn UAC off, everything works fine. Any idea?

Hope i answered your questions and sorry about my bad english. I also hope
you can help me to improve this methodology i created, with your experience.

Thanks again.
Best regards.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question