#202761 - 2011-07-29 07:34 PM
Need to modify HKCU on TS servers with elevated privledges
|
jameehub02
Just in Town
Registered: 2011-07-27
Posts: 2
Loc: Florida, USA
|
We need to modify a domain user's HKCU registry keys on two Citrix terminal servers to fix a recent problem Microsoft caused when making changes to their Office File Validation code for Office 2003 and Office 2007.
The problem is referenced by knowledge base article KB2570623. After their updates, any moderately large Excel 2003 file opens very slowly when accessed over the network, or hangs Excel entirely.
The published fix from Microsoft involves adding two keys to an individual users HKCU registry which turns off the validation and thus allows the Excel file to load normally.
The problem is normal domain users do not have write access to the HKCU section of the registry on our Citrix terminal servers which host the Office 2003 Suite.
I have a working KiXtart script segment that applies the appropriate modifications to the HKCU registry but it only works when a user has local admin access to their hive keys. The code is listed below:
Dim $TempCall, $TempKey $TempKey = "HKEY_CURRENT_USER\Software\Policies\Microsoft\Office" $TempCall = WriteValue( $TempKey, "", "", "REG_SZ" ) $TempCall = WriteValue( $TempKey + "\11.0", "", "", "REG_SZ" ) $TempCall = WriteValue( $TempKey + "\11.0\Excel", "", "", "REG_SZ" ) $TempCall = WriteValue( $TempKey + "\11.0\Excel\Security", "", "", "REG_SZ" ) $TempCall = WriteValue( $TempKey + "\11.0\Excel\Security\FileValidation", "", "", "REG_SZ" ) $TempCall = WriteValue( $TempKey + "\11.0\Excel\Security\FileValidation", "EnableOnLoad", "0", "REG_DWORD" ) $TempCall = WriteValue( $TempKey + "\11.0\Excel\Security\FileValidation", "PivotOptions", "0", "REG_DWORD" )
I have tried using runnas and JoeWare's CPAU to provide the local permission elevation. However, I am not able to get them to work properly as they want to load the elevated profile, which knocks out the HKCU section. If I don't load the profile, it doesn't acquire the necessary permissions.
Any ideas on how to tackle this HKCU issue. Many thanks in advance !!!
|
Top
|
|
|
|
#202763 - 2011-07-29 08:24 PM
Re: Need to modify HKCU on TS servers with elevated privledges
[Re: Allen]
|
ShaneEP
MM club member
Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
|
I dont have any terminals servers to test on either, but I wonder if the current SID changes when you use runas? If not you could try running something like...
$TempKey = "HKEY_USERS\"+@Sid+"\Software\Policies\Microsoft\Office"
$TempCall = WriteValue($TempKey+"\11.0\Excel\Security\FileValidation","EnableOnLoad","0","REG_DWORD" )
$TempCall = WriteValue($TempKey+"\11.0\Excel\Security\FileValidation","PivotOptions","0","REG_DWORD" )
|
Top
|
|
|
|
#202764 - 2011-07-29 08:26 PM
Re: Need to modify HKCU on TS servers with elevated privledges
[Re: ShaneEP]
|
ShaneEP
MM club member
Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
|
Also...did you look into using runnas.exe with the different profile settings? A list of them can be found here.
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=153620&site_id=1
in particular, maybe the /noprofile or /env switches.
Edited by ShaneEP (2011-07-29 08:27 PM)
|
Top
|
|
|
|
#202766 - 2011-07-30 06:15 PM
Re: Need to modify HKCU on TS servers with elevated privledges
[Re: Arend_]
|
jameehub02
Just in Town
Registered: 2011-07-27
Posts: 2
Loc: Florida, USA
|
Yes, you are absolutely correct. I banged on this beastie for hours without success. I finally threw in the towel and tried the simple approach by uninstalling the "Microsoft Office File Validation Add-in" AND marked it to "Don't show this update again". What a pain in the rear!! Thanks to all of you for sharing your suggestions. I have to believe that many others are feeling this pain ...
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 507 anonymous users online.
|
|
|