background first:
the shop is on OES11SP3 and ZCM11.3.2FTF1, they try to communicate via exchange and outlook 2010. WS are NOT domain members, they're using ZCM DLU and roaming profile policies which work fine in and out of themselves. as long as it doesn't come to outlook...
for all ordinary user accounts (without local admin rights) it's the first box they're logging in which "wins", i.e. user logs into PCA, gets his (properly prepared) initial profile pulled down, starts outlook and gets his mapi profile created. now when he shuts down PCA, logs into PCB he can't start outlook. as the mapi profile creation on PCA has changed relevant registry rights for
hkcu\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
on the "Windows Messaging Subsystem" level things are still allright, i.e. we still have full control for everyone and inheritance. this stops at the "Profiles" level which cannot be accessed without admin rights.
thought about something like
setacl -on "hkcu\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem" -ot reg -actn rstchldrn -rst "dacl"
to reset everything to defaults. the problem is that neither the "system" nor a temporary admin account can hit the desired hive as "system" has no idea of a "current user" and for a dynamic admin the current user is the dynamic admin himself.
i've tried to start with an action which adds to user to the administrators group. basically this works fine but in order to bring the elevated rights into effect it requires a new login.

any ideas on how to handle this? or even better: any suggestions on how to bring outlook 2010 and ZCM DLU/roaming profiles together?