I Need To Make A Change With My IT Support! Call (225) 706-8414

Finding the Windows HKEY_USERS Registry Subkey with ADSIEdit

You want to edit the HKEY_USERS registry subkey for a user that isn’t logged in.

This is less a HOWTO than a general explanation of the process.

Solution

For all the focus Microsoft (and third party developers) put on using wizards, MMCs, and other GUI tools to manage software, digging into the registry and making changes manually is still a very common occurrence for most techs. One of the hurdles of doing so is making sure you’re editing the correct user’s registry when you’re not logged in as that user (i.e., finding the right HKEY_CURRENT_USER).  This isn’t a big problem for most workstations as there’s rarely more than a handful of accounts on the machine; but on a multi-user system like a terminal server, you could spend more time trying to find the correct user’s registry than you did researching the issue that prompted the change in the first place. Of course, there’s a quicker way.

Suppose the following scenario:  a user reports an issue with a piece of software on a terminal server, then leaves for several days (vacation, client visit, conference, etc.).  You know how to resolve the issue with a simple registry edit and you’d like to get it out of the way and have the issue fixed for the user when they get back. The problem is that there’s a couple of dozen users on that machine so it would be nice to be able to go directly to that user’s keys rather than searching the whole HKEY_USERS hive.  Unfortunately, the registry organizes users’ data by SID, not username, so you have to find some way of getting the target user’s SID in order to find their hive.

Switch to one of your Windows Server 2008 domain controllers and run adisedit.msc.  If it doesn’t have any connections by default, just right click on the “ADSI Edit” item at the root of the navigation pane on the left and select “Connect to”. Set the connection point to “Default naming context” and the computer to “Default (Domain or server that you logged in to)” and click OK.  This will add a an item to the navigation tree named after your domain. When you expand it, you’ll see it’s laid out very similarly to ADUC.  Find your target user in the domain hierarchy (remember, they’re username will be pre-pended with a “CN=”), right click on them and select Properties.

There will be a lot of attributes but the one you care about right now is objectSid; if needed, click the Filter button and check “Show only attributes that have values” to clean up the list and make it easier to find.  In the value column, you’ll see an string like “S-1-5-…”; that’s the SID you need to look for in the registry.  You’ll have to scroll the properties window if you can’t see the whole thing; clicking the “View” button will show you the value in several different forms (hex, octal, decimal, and binary) but not the string version that’s actually useful.

Back on the terminal server, open regedit and expand Computer > HKEY_USERS.  You should see a subkey named the same as the SID you found above with ADSI Edit. That’s where you need to make your changes.

You probably noted that I explicitly said to switch to a Windows Server 2008 DC above; unfortunately, ADSI Edit on Server 2003 doesn’t show the SID in a usable form, just the numeric forms mentioned above.  But, there’s still a way to get that info and it means using the LDP tool you should already be familiar with. Run LDP on the DC, connect to localhost and bind as a domain admin.  From the Browse menu, select the search option, enter your domain  as the Base DN (e.g. DC=contoso,DC=com), set the filter to search for the user you want (e.g. (CN=William Anderson) ) and set the Scope to be “Subtree”.

Click the Options button and make sure that the “Attributes” field contains “objectSid” (or “*” if you just want to see all the attributes). Click OK on the search options window and then run the search. LDP will respond with the attributes you selected in the search options, including the SID in a string format that’s actually usable.

Of course, the LDP search version works on Server 2008 as well but ADSI Edit is easier and faster on that platform.

 

Concerned About Cyber Attacks?

CLICK HERE >

Want to Migrate to the Cloud?

CLICK HERE >
Office 365

Ready to Experience Microsoft Office 365?

Want the latest IT news directly in your inbox? Subscribe now!