[Wheelgunr]

Hi. I need to find out how to change permissions on a registry key for a specific software package. It requires the following to have FULL Control:

HKLM\SOFTWARE
Administrators (%localmachine%\administrators)
SYSTEM
Users (%localmachine%\Users)

If Reg.exe can be used, that would be great. If it needs to be a VB file, I'd need the entire script.

Thanks!

[maniac]

You should be able to achieve this using regini.exe

How to Use Regini.exe to Set Permissions on Registry Keys
How to change registry values or permissions from a command line or a script

I think you can call this from machine startup script by sticking the exe on the netlogon share, or using the -m option you can do the changes remotely. I've never tried it, but the MS knowledgebase articles should help you use it.

Incidently those articles refer to windows 2000 and NT4, I've no idea if the same tool is included or will work with XP/server 2003 but it's the best I can find for what you want to do.

Mike.

[meastaugh1]

Is group policy not an option?

[box_l]

i have used this for an old RM app that needed user access to its own keys

save this as .vbs and call from your login script

Code:

'  VBScript.

'  

set WshShell = CreateObject("WScript.Shell")

' IN THE NEXT LINE (starting WshShell.Run..)


WshShell.Run "runas /user:administrator@domain.sch.uk ""\\server\netlogon\reg\setacl_r_snapshot.bat"""

WScript.Sleep 1000

' IN THE NEXT LINE (starting WshShell.SendKeys..)

'a) Enter an administrator password and leave the "~"

WshShell.Sendkeys "passwordhere~"

WScript.Quit()

save this as .bat

Code:

'edu-tech solutions Nov 2007

' install registry key

regedit /s \\2100-fs01\NETLOGON\reg\rm.reg

' set permissions on key
call "\\server\NETLOGON\reg\SetACL.exe" -on "HKEY_LOCAL_MACHINE\SOFTWARE\InterActual Technologies" -ot reg -actn ace -ace "n:domain.sch.uk\Domain Users;p:full"
call "\\server\NETLOGON\reg\SetACL.exe" -on "HKEY_LOCAL_MACHINE\SOFTWARE\Research Machines" -ot reg -actn ace -ace "n:domain.sch.uk\Domain Users;p:full"

and make sure that setacl.exe is in the same folder.

replace domain, server iand password in the scripts with the appropriate info

a bit messy i know, but it works.

hope this helps.

BoX

[srochford]

By far the easiest way to do this is with group policy.

If you can't use group policy then run the batch file used by @Box but as a machine startup script rather than a login script . That way you don't need to use the admin password (which I really wouldn't recommend; the login script, complete with password, can be read by any of your users)

[box_l]

agreed, in its current form.

i do use microsofts script encoder to obfuscate it enough that most people will not even attempt to read/decode it.

it also gets removed from its location when not in use.

BoX

[Wheelgunr]

Thanks to everyone for their replies. My AD guy set up a GPO to set the permissions needed.