I’ve seen a few posts on this, and several link to other posts that are private/deleted. I am trying to modify a registry key under HKCU using this actionscript:
delete __appendfile
appendfile {concatenation "%0d%0a" of ("reg add %22HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main%22 /v %22SpellChecking%22 /t reg_dword /d 00000000 /f") of names of keys of key "HKEY_CURRENT_USER" of registry}
delete delreg.bat
move __appendfile delreg.bat
waithidden delreg.bat
The current user the client runs as is LOCAL SYSTEM so most likely you are looking at the wrong place and its writing into a different hive than the user you are logged on as. Remember HKCU is just a view into HKU that changes for every user that’s logged on
Try using HKEY_USERS\{component string of sid of security account (name of logged on user)}\software\Microsoft\internet explorer\main
using HKEY_USERS\{componenet string of sid of security account (name of logged on user)} will get you to the currently logged on users registry location. I’ve used it to set registry keys for the current user in our environment.
Now it’s coming up as invalid clause. I believe it’s because I’m quoting it out.
Any ideas how to state this action:
delete __appendfile
appendfile {concatenation "%0d%0a" of ("reg add %22HKEY_USERS{component string of sid of security account (name of logged on user)}\software\Microsoft\internet explorer\main%22 /v %22SpellChecking%22 /t reg_dword /d 00000000 /f") of names of keys of key "HKEY_CURRENT_USER" of registry}
delete delreg.bat
move __appendfile delreg.bat
waithidden delreg.bat
Generally with BigFix you want to affect things at the Local Machine level, or in a way that affects ALL users.
Having an action that affects only the current user is not ideal because it can only do that after the user has already logged in, and it will have to run as a policy action to affect any future user that logs in.
Directly editing all current user registries, or all user registries is possible with BigFix, but it is not as elegant as using Local GPO and it still doesn’t affect users who log in that have never logged in before.
After much discussion with our AD team this would be in the scope of BigFix. I’ve seen this function requested before and I’m a bit surprised that IBM Developers who read these forums haven’t picked it up as a feature request. I know that RunAsCurrentUser might be an option, but I’ve never gotten that to work. Seeing how we’re a 8.X environment (we have a new architecture with 9.2 being deployed later this year) so as far as I understand the OVERRIDE command wouldn’t work here either.
While other options do exist, I’m posting here to achieve this with BigFix.
I’m confused as to what you mean by this. Who are you responding to?
Right, which is what I am recommending. Use BigFix to deploy Local GPO to set this setting, which is not the same as Network/Domain GPO.
I used to set HKCU settings with BigFix using many different methods. Now I prefer to use Local GPO to do this whenever possible.
Local GPO deployed by BigFix is ideal for the organizations I have been in because they have computers not in AD at all, plus computers in different ADs. BigFix deployed Local GPO works for all cases, which is great.
Local GPO is actually superseded by Domain GPO. This means if I am setting a Local GPO with BigFix and there is a Domain GPO that conflicts with the local one, then the Domain GPO takes precedence. This is actually exactly the effect we desire. This enable us to set default configurations for all computers while still allowing a setting to be managed by a particular department’s Domain GPOs.
createfile until @end_create_reg_file Windows Registry Editor Version 5.00
[HKEY_USERS{component string of sid of security account (name of logged on user)}\Software\Policies\Microsoft\Internet Explorer\Control Panel] “Certificates”=dword:00000001 “Connection Settings”=dword:00000001
createfile until @end_create_reg_file Windows Registry Editor Version 5.00
HKEY_USERS{component string of sid of security account (name of logged on user)}\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable”=dword:00000001 “AutoConfigURL”=“www.proxyurl.com”