When you view HKEY_USERS remotely any SID listed is currently active on the computer. Ignore the "_Classes" keys for now. You will notice that there may be one or more SIDs from different domains/SAM databases.
HKEY_USERS\S-1-5-21-82352824-854245398-839522115-1085
HKEY_USERS\S-1-5-21-24123212-1034812195-1513859470-1416
In the above examples the first SID is a local account on my laptop that is used to run a service. the second is my domain account.
You will need to read the location from each user.
\\$RemotePC\HKEY_USERS\S-1-5-21-82352824-854245398-839522115-1085\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Desktop
Then you can write your file to each user's location. If you only want to hit domain accounts, you can use SidToName() to try to resolve the SID. If the SID does NOT resolve it is from the local computer or domain that is NOT trusted. Note that on a given computer SidToName() will resolve local SID but not the SID of any remote SAM. I have Perl code in one of my DLLs that can resolve SIDs from the perspective of remote computers.
