Regedit permissions in AD

Ok guys, another question... I currently have a need to distribute a .reg file to a hundred or so users running win2k on a win2k3 AD. The problem is, these users do not have admin rights on their PC, so them editing the registry is not going to work. I currently use Kix to do all the logon scripting, but I'm not sure that I can have it add reg files, since the user permissions have kicked in as soon as they log in.

After the reg file in imported, I then need to run another script that resets a windows default. Again, they don't have the security access to run the script.

Can I use group policies to accomplish this? I see how to grant access to a very specific part of the registry, which may solve my first problem, but what about the second?

I also see how I can use group policies to add a startup script, which I believe runs before the user logs in. Could that do it?

This link seems to have some good info. You might need to make a temp user with admin access and then delete the user.

TYVM for the link. Lotsa reading ahead.....

Couple of things.... Looks like startup/shutdown scripts SHOULD work, for both cases. The only drawback is that they are only run on actual startup/shutdown. A regular login is NOT enough.

Second, I SHOULD be able to use runas, but I don't see a way to enter a password. Using kix, I could tokenize the script, so entering a password wouldn't be a real issue. I just REALLY don't want to have to give out an admin password. I guess I could create an account that has local admin rights only and make the password something really easy to type in, but I shouldn't HAVE to. There HAS to be a way to fully automate it.

Quote:
Couple of things.... Looks like startup/shutdown scripts SHOULD work, for both cases. The only drawback is that they are only run on actual startup/shutdown. A regular login is NOT enough.

Second, I SHOULD be able to use runas, but I don't see a way to enter a password. Using kix, I could tokenize the script, so entering a password wouldn't be a real issue. I just REALLY don't want to have to give out an admin password. I guess I could create an account that has local admin rights only and make the password something really easy to type in, but I shouldn't HAVE to. There HAS to be a way to fully automate it.

I was thinking of creating the user without a password but after reading this I see that the runas command does work when a user doesn't have a password.