Hi. I need to find out how to change permissions on a registry key for a specific software package. It requires the following to have FULL Control:
HKLM\SOFTWARE
Administrators (%localmachine%\administrators)
SYSTEM
Users (%localmachine%\Users)
If Reg.exe can be used, that would be great. If it needs to be a VB file, I'd need the entire script.
Thanks!
You should be able to achieve this using regini.exe
How to Use Regini.exe to Set Permissions on Registry Keys
How to change registry values or permissions from a command line or a script
I think you can call this from machine startup script by sticking the exe on the netlogon share, or using the -m option you can do the changes remotely. I've never tried it, but the MS knowledgebase articles should help you use it.
Incidently those articles refer to windows 2000 and NT4, I've no idea if the same tool is included or will work with XP/server 2003 but it's the best I can find for what you want to do.
Mike.
Last edited by maniac; 12th September 2008 at 09:21 PM.
Is group policy not an option?
i have used this for an old RM app that needed user access to its own keys
save this as .vbs and call from your login script
Code:' VBScript. ' set WshShell = CreateObject("WScript.Shell") ' IN THE NEXT LINE (starting WshShell.Run..) WshShell.Run "runas /user:administrator@domain.sch.uk ""\\server\netlogon\reg\setacl_r_snapshot.bat""" WScript.Sleep 1000 ' IN THE NEXT LINE (starting WshShell.SendKeys..) 'a) Enter an administrator password and leave the "~" WshShell.Sendkeys "passwordhere~" WScript.Quit()
save this as .bat
and make sure that setacl.exe is in the same folder.Code:'edu-tech solutions Nov 2007 ' install registry key regedit /s \\2100-fs01\NETLOGON\reg\rm.reg ' set permissions on key call "\\server\NETLOGON\reg\SetACL.exe" -on "HKEY_LOCAL_MACHINE\SOFTWARE\InterActual Technologies" -ot reg -actn ace -ace "n:domain.sch.uk\Domain Users;p:full" call "\\server\NETLOGON\reg\SetACL.exe" -on "HKEY_LOCAL_MACHINE\SOFTWARE\Research Machines" -ot reg -actn ace -ace "n:domain.sch.uk\Domain Users;p:full"
replace domain, server iand password in the scripts with the appropriate info
a bit messy i know, but it works.
hope this helps.
BoX
By far the easiest way to do this is with group policy.
If you can't use group policy then run the batch file used by @Box but as a machine startup script rather than a login script . That way you don't need to use the admin password (which I really wouldn't recommend; the login script, complete with password, can be read by any of your users)
agreed, in its current form.
i do use microsofts script encoder to obfuscate it enough that most people will not even attempt to read/decode it.
it also gets removed from its location when not in use.
BoX
Thanks to everyone for their replies. My AD guy set up a GPO to set the permissions needed.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote