Why does this work? GPP - Registry Changes



  • Maybe I am missing something simple, but I don't know why this configuration works.

    We have a GPO that uses GPP to modify some file associations in the registry. Currently the paths being changed are all in HKCU. This GPO is also NOT running under the user's context. AFAIK that means the registry changes should be applied under the HKCU of the SYSTEM account (Making it not apply for the logged in user). Reality is that the logged in user's HKCU is being modified. Can someone point me to a technical explanation why this is working?

    delete.PNG



  • @Brains said:

    Maybe I am missing something simple, but I don't know why this configuration works.

    We have a GPO that uses GPP to modify some file associations in the registry. Currently the paths being changed are all in HKCU. This GPO is also NOT running under the user's context. AFAIK that means the registry changes should be applied under the HKCU of the SYSTEM account (Making it not apply for the logged in user). Reality is that the logged in user's HKCU is being modified. Can someone point me to a technical explanation why this is working?

    delete.PNG

    Current user should be the actual logged in user, not SYSTEM. Not AFAIK. It makes sense to me it works.



  • Group Policy uses the User context. RSOP will tell you more about how group policy is being applied to your domain computers.



  • @thecreativeone91 said:

    Group Policy uses the User context. RSOP will tell you more about how group policy is being applied to your domain computers.

    But M$ says that it should be running under the SYSTEM account

    http://technet.microsoft.com/en-us/library/cc772371.aspx
    delete.PNG

    @ajstringham said:

    Current user should be the actual logged in user, not SYSTEM. Not AFAIK. It makes sense to me it works.

    So you are saying that HKCU is for the logged in user and running a command under a different account will not change that fact?



  • Look at the wording of that. It PROCESSES the preferences USING the SYSTEM profile. It does NOT say that it applies them TO the SYSTEM profile. I think you are misinterpreting the wording on this.



  • I agree with @ajstringham,

    It says "using the security context of the SYSTEM account". To me this means that it's running as if SYSTEM was logged on, but applying to the user's profile. You need to change this (I think) only if the SYSTEM account doesn't have access to something that the GPO needs to change that the user's account does have access to.

    It does appear to be working as designed.



  • Thanks guys


Log in to reply