Ok guys, another question... I currently have a need to distribute a .reg file to a hundred or so users running win2k on a win2k3 AD. The problem is, these users do not have admin rights on their PC, so them editing the registry is not going to work. I currently use Kix to do all the logon scripting, but I'm not sure that I can have it add reg files, since the user permissions have kicked in as soon as they log in.

After the reg file in imported, I then need to run another script that resets a windows default. Again, they don't have the security access to run the script.

Can I use group policies to accomplish this? I see how to grant access to a very specific part of the registry, which may solve my first problem, but what about the second?

I also see how I can use group policies to add a startup script, which I believe runs before the user logs in. Could that do it?

This link seems to have some good info. You might need to make a temp user with admin access and then delete the user.

TYVM for the link. Lotsa reading ahead.....

Couple of things.... Looks like startup/shutdown scripts SHOULD work, for both cases. The only drawback is that they are only run on actual startup/shutdown. A regular login is NOT enough.

Second, I SHOULD be able to use runas, but I don't see a way to enter a password. Using kix, I could tokenize the script, so entering a password wouldn't be a real issue. I just REALLY don't want to have to give out an admin password. I guess I could create an account that has local admin rights only and make the password something really easy to type in, but I shouldn't HAVE to. There HAS to be a way to fully automate it.

Exactly. I seem to have come across a util that will do it. CPAU

Whatcha think? I tested it on my machine here, and it seemed to work, that is, I ran edit as another user, and when I saved the file, it was saved with the test user as owner, not me, and I was logged in as me. Wow that's a lot of commas.

Thanks a million for the feedback, btw. I was hitting a wall and that link opened up a lot of possibilities. Nice thing is that I can tokenize the script with it, and the end user never gets to see the password.