+ Post New Thread
Page 3 of 3 FirstFirst 123
Results 31 to 36 of 36
Windows Server 2000/2003 Thread, I'm stuck !! Group Policy Registry Keys in Technical; Code: /subkeyreg ? not tested though or create key, change permissions, create values. inhereited permissions? BoX...
  1. #31
    box_l's Avatar
    Join Date
    May 2007
    Location
    Herefordshire
    Posts
    429
    Thank Post
    70
    Thanked 90 Times in 75 Posts
    Rep Power
    61
    Code:
    /subkeyreg
    ? not tested though

    or create key,
    change permissions,
    create values. inhereited permissions?

    BoX

  2. Thanks to box_l from:

    link470 (16th February 2010)

  3. #32
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    Sounds good, thanks! I'll give that a shot. Now here's a question of security. Does leaving subinacl in your netlogon folder pose a security risk if say, a skilled user [and this is highly unlikely, just thought I'd throw it out there as a huge IF] managed to open the netlogon folder, view the exe in there, know what it was for, and use it? The command line and registry are restricted, as well as running your own bat and vbs scripts. I don't think it can be used in any way by a user to edit permissions. Would it even be able to run as a user? This is a startup script at the moment to make those changes.

  4. #33

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,807
    Thank Post
    3,320
    Thanked 1,056 Times in 977 Posts
    Rep Power
    365
    Quote Originally Posted by link470 View Post
    Sounds good, thanks! I'll give that a shot. Now here's a question of security. Does leaving subinacl in your netlogon folder pose a security risk if say, a skilled user [and this is highly unlikely, just thought I'd throw it out there as a huge IF] managed to open the netlogon folder, view the exe in there, know what it was for, and use it? The command line and registry are restricted, as well as running your own bat and vbs scripts. I don't think it can be used in any way by a user to edit permissions. Would it even be able to run as a user? This is a startup script at the moment to make those changes.
    Could you not create a folder in the netlogon folder and only give a specific user account and the system access rights to that folder so that when the script runs it and the one account are the only ones allowed to access or use any items in that folder ( the one account most likely being a domain admin )

    Not sure if that would work if ntfs perms are being applied from above ??

    Other then that I would create a hidden share where its located that all the computers can access but with strict ntfs perms

  5. #34


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,646
    Thank Post
    229
    Thanked 865 Times in 743 Posts
    Rep Power
    297
    Quote Originally Posted by mac_shinobi View Post
    Could you not create a folder in the netlogon folder and only give a specific user account and the system access rights to that folder so that when the script runs it and the one account are the only ones allowed to access or use any items in that folder ( the one account most likely being a domain admin )

    Not sure if that would work if ntfs perms are being applied from above ??

    Other then that I would create a hidden share where its located that all the computers can access but with strict ntfs perms
    or just script copying it to the windows or other local dir thats pathed and locked down

  6. #35

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,225
    Thank Post
    874
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    Quote Originally Posted by link470 View Post
    Sounds good, thanks! I'll give that a shot. Now here's a question of security. Does leaving subinacl in your netlogon folder pose a security risk if say, a skilled user [and this is highly unlikely, just thought I'd throw it out there as a huge IF] managed to open the netlogon folder, view the exe in there, know what it was for, and use it? The command line and registry are restricted, as well as running your own bat and vbs scripts. I don't think it can be used in any way by a user to edit permissions. Would it even be able to run as a user? This is a startup script at the moment to make those changes.
    This may not be an issue, the subinacl program should work in the user context that runs it, unless your users are administrators they should not be able to take ownership of files and so should not be able to alter the permissions. It may be a lower level tool that that so it is worth a test but it will probably be a non issue as windows is likely to prevent it.

  7. Thanks to SYNACK from:

    link470 (17th February 2010)

  8. #36
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,014
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30
    Do what ZeroHour and HullFC have suggested. GP preferences aren't there by default in server 2003, but appear when you upgrade the schema for Vista and manage it from Vista. It's been a while since I did mine, so can't remember how it's done. Anyway when it's done it's a doddle to set registry values.

    See this - it's actually simpler than it looks, and better than running .reg scripts.

  9. 2 Thanks to OverWorked:

    link470 (22nd February 2010), mattx (17th February 2010)

SHARE:
+ Post New Thread
Page 3 of 3 FirstFirst 123

Similar Threads

  1. Disabling sticky keys via group policy
    By timbo343 in forum Windows
    Replies: 28
    Last Post: 25th January 2013, 11:41 AM
  2. VB Delete registry keys with sub keys
    By cookie_monster in forum Scripts
    Replies: 1
    Last Post: 6th November 2009, 08:57 AM
  3. Replies: 9
    Last Post: 10th February 2009, 02:46 AM
  4. Group policy
    By ricki in forum Wireless Networks
    Replies: 5
    Last Post: 29th February 2008, 01:40 PM
  5. Group Policy OU's
    By iownitcouk in forum Windows
    Replies: 3
    Last Post: 23rd February 2008, 02:24 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •