A customer had an issue with mail not appearing in their Inbox. Their Exchange team had advised to set a registry value under HKEY_CURRENT_USER\Software\Policies\Microsoft\Office15.0\Outlook\Options\mail
A group policy had been created to set the value, and it successfully worked on five test users. However after widespread deployment many users failed to receive the setting.
Using ProcMon with a filter to include Path Contains Software\Policies\Microsoft\Office15.0\Outlook\Options\mail we could see when gpupdate was run the result was ACCESS DENIED.
This is due to the fact the policy was set to apply current user keys “as the user”
By default users do not have write access to to keys under HKCU\Policies
While they have write access to SOFTWARE
Under Policies they only have Read access. This is to ensure a non-admin user can’t just run a script to remove/change their user based policies.
The reason it worked on the test users is they had all been from the IT department and all had local admin. That’s a bad idea, although not a new one.( https://chentiangemalc.wordpress.com/2012/04/12/an-epic-battle-of-adobe-vs-ie-vs-sap/ )
In this case the solution was not to deploy the Policies key via Group Policy Preferences. As it is a “Policies” key we downloaded the Office ADMX files from Microsoft Website (http://www.microsoft.com/en-us/download/details.aspx?id=35554) and set the policy that way.
We confirmed this fixed the issue.
What if I only knew the registry key but not the policy name? You can use this technique to quickly find it https://chentiangemalc.wordpress.com/2014/03/25/finding-prevent-performance-of-first-run-wizard-in-windows-8-1-group-policy/