I may not have this 100% correct so need some clarification. Are normal users on a 2003 terminal server allowed to add registry keys the their own HKCU section in the registry, or are they only allowed to edit existing ones?

The reason I ask is that we have 3 keys that we need to add for each user on login. I thought it would be as simple as having a straightforward batchscript run that silently adds the keys for the user.

Here is what I used:

regedit.exe "C:\Documents and Settings\All Users\Desktop\example.reg"

When the user runs this batch scipt, they see nothing as you would expect, but the keys are not added. If I simply run the .reg file as the user, it asks if I want to add the key, but then has an error saying there was an error accessing the registry.

Do I need something a bit more complex to accomplish this task.

Many Thanks


EDIT: Contents of .reg file

Windows Registry Editor Version 5.00

James Edmonds
  • 1,653
  • 10
  • 36
  • 58

2 Answers2


No, the policies key is managed by the system. Group policies would not be very useful if a user could change them. You need to manage this with gpmc, and a custom adm template if MS Office builtin gpo template does not have these values.

It would appear that Microsoft has a step-by-step procedure for configuring these settings. There may also be a hotfix required if using Outlook 2007.

More information:

The programmatic security settings cannot be configured successfully when you configure the Simple MAPI settings in Outlook 2007 by using the Group Policy object

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Hi, thanks very much for your answer. Can you offer a little more guidance, or point me in the direction of some further reading. Also, can I use GPMC to apply this policy just to this one terminal server? Many thanks. – James Edmonds Mar 14 '12 at 11:12
  • Sure thing. I updated the answer with the procedure. – Greg Askew Mar 14 '12 at 14:25
  • group policy is a bit too confusing for me, but this is definately the answer. Many thanks! – James Edmonds Mar 15 '12 at 12:29

I personally have rolled out a number of batch files, where I used the


command to insert values directly into HKCU, something like

REG ADD \\%COMPUTERNAME%\HKCU\Software\Microsoft\Office\14\etc -parameters

for example suppressing the owner information dialog box on MS office products

I've also used REG UNLOAD to pull out hung profile hives by their SID


kind of like "SC" and "NET" has a number of other verbs you can run it with, just run

REG /?    

from you command line

though come to think of it, I haven't really had much trouble inserting keys directly from a .reg export file either using something like this, this script starts outlook as a different user, to resolve an NTLM issue that occurs in accessing a Unified Communications add-in

::Script uses PSEXEC to run outlook.exe as user ####, also inserts reg key to suppress office registration.

START \\appdata\crossdep\CADriverCheckin\CLEANUP.BAT
\\appdata\crossdep\CADriverCheckin\PSEXEC /accepteula -u "domain\user" -p ###### "C:\program files\microsoft office\office12\outlook.exe" 
REGEDIT /S \\appdata\crossdep\CADriverCheckin\officereg.reg
  • 1
  • 1
  • Have just given this a go, but after running it as a batch file, all i get is the error "ERROR: Access denied". Must be some group policy on our system that causes this to be blocked, as my understanding people should be able to add to their own HKCU. – James Edmonds Apr 02 '12 at 10:54
  • Hmm, are you able to merge the key by right clicking the .reg file and merging it, under that user, (non programatically) just point and click, might look in your local security policy (secpol.msc) also check gpedit.msc User config > admin templates > system > Prevent Access to Registry Editing Tools – Matt May 03 '12 at 06:49