none
Invalid root in registry key

    Question

  • Hello Virtual help desk...

    I have deployed a legal notice script on a domain controller.
    It worked ok, so I then sent it to each workstation and after
      tweaking, it worked, but only for members of an administrator group.

    Here is the error message returned after any non administrator group user
       1) ctrl_alt+del; 2) sees message; then 3) logs in: 

    Error: //domain.local\sysvol\domain.local\policies\{somestuff}
    \user scripts\logon\legalnotice.vbs

    line: 36 (it is a comment line)

    char: 1

    Error: Invalid root in registry key "HKLM\Software|Microsoft\Windows\
       CurrentVersion\Policies\system\legalnoticecaption".

    Code: 80070005 (access denied)

    Source: WshShell.RegWrite

     

    I submitted this question to the wrong forum, but was told that all scripts that change files
     in the system directory or HKLM registry hive must be placed in Computer Configuration. 
     I had it in User configuration localsystem account and so a non administrator would
     not be able to change the HKLM hive due to insufficient rights. 
     He also said -Or I must explicity assign Write rights to users.

    Ok...

    This is what it has and now look like:

    Console Root
    ...Local Computer Policy
    ......Computer Configuration
    .........Windows Settings
    ............Scripts
    ...............Startup
    ...............legalnotice.vbs (removed after tip)

    ......User Configuration
    .........Windows Settings
    ............Scripts
    ...............Startup
    ...............legalnotice.vbs (removed after tip)


    ...Active Dirctory Users & Computers [domain controller.mydomain.local]
    ......mydomain (right click properties), Group Policy tab, gpo: legalnotice, edit

    ...legalnotice[domain controller.mydomain.local] policy
    ......Computer Configuration
    .........Windows Settings
    ............Scripts
    ...............Startup
    ...............legalnotice.vbs (***its ONLY here***)
    ......User Configuration
    .........Windows Settings
    ............Scripts
    ...............Startup
    ...............(vbs not there)

    If anyone could help me I would appreciate it.

    PS If this is not the right forum, clue me in please...

    Thanks

     

    Friday, April 03, 2009 4:18 PM

Answers

  • Hi,

     

    Thanks for your reply.

     

    Yes, as rsop.msc shows the logon script is applied which comes from the default domain policy, please logon to the domain controller as administrator and open the Default Domain Policy to remove the logon script configuration. After that, please test this issue again. You may need to wait for a while before the group policy is refreshed.

     

    As for the output issue, I notice that you missed the backslash mark between “:” and “g”. It should be “gpresult /v >c:\gpresult.txt”

     

    For your reference, you may take a look at the following article:

    http://technet.microsoft.com/en-us/library/bb742376.aspx

    • Marked as answer by WBB-LAN Wednesday, April 08, 2009 12:17 PM
    Wednesday, April 08, 2009 8:51 AM

All replies

  • Hi,

     

    Thanks for the post.

     

    From your description, I understand that the following error message is received when logging with the non administrator group user. This issue does not occur with the administrator group user.

    Error: Invalid root in registry key "HKLM\Software|Microsoft\Windows\
       CurrentVersion\Policies\system\legalnoticecaption".

    Code: 80070005 (access denied)

    Source: WshShell.RegWrite

    Moreover, you have removed the logon script from User Configuration part and moved it to Computer Configuration; however, the problem still persists.

     

    Given this situation, we infer that the script is still configured for user. Please use rsop.msc to check whether logon script is still applied.

     

    1.   Logon as a normal user who will receive the error, click Start -> Run, type "rsop.msc" in the text box, and click OK.

    2.   Locate the [User Configuration\Windows Settings\Scripts (Logon/logoff)] item.

    3.   Check the "Logon" item to see whether this policy is defined. If so, the "Source GPO" column displays the policy that defines this policy. Is it configured? If so, please check the corresponding group policy.

     

    If the problem continue, please run the "gpresult /v >c:\gpresult.txt" command when logging on as a problematic user, and then send the gpresult.txt file to me. Use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address.

     

    I look forward to your reply.

    Tuesday, April 07, 2009 10:08 AM
  • Hi Miles,

    Thanks for looking at this with me.

    You are right, the error does not show when an adminstrator logs on.

    I ran the rsop.msc and did see under item 3 it is still configured... the name is legalnotice.vbs and its labeled as default domain policy. 

    I tried to run the gpresult /v >c:gpresult.txt but could not find output. The workstation is windows xp. Should I look at the domain controller at the default domain policy?

    thanks again for your help...
    Tuesday, April 07, 2009 5:01 PM
  • Hi,

     

    Thanks for your reply.

     

    Yes, as rsop.msc shows the logon script is applied which comes from the default domain policy, please logon to the domain controller as administrator and open the Default Domain Policy to remove the logon script configuration. After that, please test this issue again. You may need to wait for a while before the group policy is refreshed.

     

    As for the output issue, I notice that you missed the backslash mark between “:” and “g”. It should be “gpresult /v >c:\gpresult.txt”

     

    For your reference, you may take a look at the following article:

    http://technet.microsoft.com/en-us/library/bb742376.aspx

    • Marked as answer by WBB-LAN Wednesday, April 08, 2009 12:17 PM
    Wednesday, April 08, 2009 8:51 AM
  • IT WORKED!

    Thanks again Miles!

    I accessed the default domain policy and removed the vbs from the user configuration area.  I did not have to wait for long for the refresh and then started testing.  The legal notice popped up but not the error message when the non admin user finished logging on.

    Wednesday, April 08, 2009 12:17 PM