What is the default permissions set for HKEY_CURRENT_USER when a roaming
profile is created?

I was thinking the \Default user\NTUSER.DAT was copied to a new user profile
but the permission from the \Default user\NTUSER.DAT are not copied to the
new user profile.

Any idea?
Stéphane Lamarche
lamarches@hot nospam mail.com

> What is the default permissions set for HKEY_CURRENT_USER when a roaming
> profile is created?

BUILTIN\Administrators: Full Control
%userdomain%\%username%: Full Control
NT AUTHORITY\SYSTEM: Full Control

> I was thinking the \Default user\NTUSER.DAT was copied to a new user
profile
> but the permission from the \Default user\NTUSER.DAT are not copied to the
> new user profile.

It copies that just fine, but it reassigns the permissions on first use. It
also does this with the files in \Default User. I suspect it creates a
blank HKEY_CURRENT_USER with the default permissions, and then copies the
default user Registry with Registry APIs, rather than copy the file itself.
Or it copies the file and then rewrites the permissions inside it.

If you make changes to the default profile, make sure BUILTIN\Users still
has read access to the end result.

HKEY_CURRENT_USER is supposed to allow full control to the current user,
giving properly designed apps a place to write their settings while not
affecting HKEY_LOCAL_MACHINE and other areas. I don't know of any security
risk to the machine, or the domain, by granting this access to this key.

--
PGP key (0x0AFA039E): >
Prevent problems before they happen and help others avoid bad design.
<http://www.pan-am.ca/antiwindowscatalog/>