Alright, I've got some applications here that I need to install. Instead of installing them on each individual staff machine that needs the software and have to worry about which one has it so when I re-image the staff machines they all get the software they used to have back, I've been creating an application network drive. I have a script that maps the appropriate desktop icon from each program within the network drive to the user's desktop. So far, this works great. I'm just in the testing phase.
However, we have some of these smaller applications that need to activate the first time the application is ran on each computer, or every time the application is ran for the first time that day [if the machines have Deep Freeze]. So I found out that if I export the key[s] from one machine's registry that I need for the application to work [like my own desktop in my office, the one I used to install the software on \\server\applicationshare], I can push that registry file down and install it into the systems registry with a startup script. That's great, and it works for some apps. However we have one application that needs to write back to the registry and edit the key that I push down when the computer starts up, to say the activation completed successfully on that particular machine. [This is all allowed by the way, it's a site license]. I get an error along the lines of "your key was sent [the key I pushed down in the registry] and was successfully verified, but the application cannot write to the registry". Obviously the user is a standard "user" and not an administrator, so my question is, how can I push down a registry key AND set it's permissions so users can write?
I found this:
Does that work? If so, I'm confused. What exactly does that do? If I were to follow that on my desktop here, the way I see it is that I would choose a registry key that's already on my system [like the keys from the activated software I installed to the application drive], and I'd set permissions for who can access MY key...is that how it works? Or does that extract my key and embed it in the policy somewhere and then deploy the key with those permissions? Or does it take the permissions only, and apply it to the identical keys if they exist on the machines that the gpo runs on?Originally Posted by Windows IT Pro Article
I may in fact be very close to my end goal if those instructions are correct and that's all I have to do. I just want to make sure I understand what's going on completely and that I'm doing things right.
Thanks in advance
it only sets the permissions; it won't create the key if it's not already there - browsing on your own machine just seems to be a way of making sure you don't mistype the (often long!) registry key
You can use Group Policy Preferences to set registry values - there's an overview of this here: http://www.microsoft.com/downloads/d...DisplayLang=en Note that it although it refers to 2008 server you don't actually need that; the client side stuff runs on anything from XP and you can manage it from Windows Vista, 7 or Server 2008
If the permissions are going to be set on keys under HKCU then you can do this with a login script but f it's HKLM then the user won't have permissions to set the permissions on the keys (and I'm guessing this is the case - you almost never need to change permissions on HKCU because users are supposed to be able to write to it!)
What I think would work best is to use a machine startup script to create the registry key(s) and then set the permissions in the same script.
Create a .reg file by exporting from your reg file - let's say that it's going to make changes to HKLM\Software\MySoftwareCompany and it's saved as myswsettings.reg
Your batch file will look something like this:
The regedit bit will silently load the settings you need and then setacl will make the permissions changes.Code:regedit -s \\server\share\myswsettings.reg \\server\share\SetACL.exe -ot reg -on "hklm\software\MySoftwareCompany" -actn ace -ace "n:users;p:full"
setacl is available on sourceforge. It's an amazingly useful piece of software and there are some pretty good examples on the web site (which really helps because it's pretty complicated!)
The actual code there says that you are working on an Object Type registry with Object name HKLM etc. The action you are going to make is a change to an Access Control Entry (ACE) and the ACE that you want gives full Permission to a group Named users
I'm not quite sure how you're deploying the apps to each machine but the ideal way of getting these registry keys and permissions in the right place would be to add this at install time - they're then set properly before machines get deep frozen!
link470 (15th February 2010)
There are currently 2 users browsing this thread. (0 members and 2 guests)