+ Post New Thread
Results 1 to 6 of 6
Windows Thread, Change registry permissions via GPO in Technical; Alright, I've got some applications here that I need to install. Instead of installing them on each individual staff machine ...
  1. #1
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15

    Change registry permissions via GPO

    Alright, I've got some applications here that I need to install. Instead of installing them on each individual staff machine that needs the software and have to worry about which one has it so when I re-image the staff machines they all get the software they used to have back, I've been creating an application network drive. I have a script that maps the appropriate desktop icon from each program within the network drive to the user's desktop. So far, this works great. I'm just in the testing phase.

    However, we have some of these smaller applications that need to activate the first time the application is ran on each computer, or every time the application is ran for the first time that day [if the machines have Deep Freeze]. So I found out that if I export the key[s] from one machine's registry that I need for the application to work [like my own desktop in my office, the one I used to install the software on \\server\applicationshare], I can push that registry file down and install it into the systems registry with a startup script. That's great, and it works for some apps. However we have one application that needs to write back to the registry and edit the key that I push down when the computer starts up, to say the activation completed successfully on that particular machine. [This is all allowed by the way, it's a site license]. I get an error along the lines of "your key was sent [the key I pushed down in the registry] and was successfully verified, but the application cannot write to the registry". Obviously the user is a standard "user" and not an administrator, so my question is, how can I push down a registry key AND set it's permissions so users can write?

    I found this:

    Quote Originally Posted by Windows IT Pro Article

    How do I use Group Policy to set Registry permissions?
    1. Open the policy you wish to use in the Group Policy Editor.

    2. Navigate to Computer Configuration / Windows Settings / Security Settings / Registry.

    3. Right-click Registry and press Add Key.

    4. Browse to the registry key whose permissions you wish to configure, select it, and press OK.

    5. In the Database Security for <KeyName> dialog, set the permissions and press Apply and OK.

    6. In the Add Object dialog, make your selection and press OK.
    Does that work? If so, I'm confused. What exactly does that do? If I were to follow that on my desktop here, the way I see it is that I would choose a registry key that's already on my system [like the keys from the activated software I installed to the application drive], and I'd set permissions for who can access MY key...is that how it works? Or does that extract my key and embed it in the policy somewhere and then deploy the key with those permissions? Or does it take the permissions only, and apply it to the identical keys if they exist on the machines that the gpo runs on?

    I may in fact be very close to my end goal if those instructions are correct and that's all I have to do. I just want to make sure I understand what's going on completely and that I'm doing things right.

    Thanks in advance

  2. #2
    bio
    bio is offline
    bio's Avatar
    Join Date
    Apr 2008
    Location
    netherlands
    Posts
    520
    Thank Post
    16
    Thanked 130 Times in 102 Posts
    Rep Power
    37
    Quote Originally Posted by link470 View Post
    Or does that extract my key and embed it in the policy somewhere and then deploy the key with those permissions? Or does it take the permissions only, and apply it to the identical keys if they exist on the machines that the gpo runs on?
    Its either of these two. My guess it will be the first one based on creating custom ADM files my self. If an key didn't exist it would create the key automatically..... .. but to be sure i would simply try it out on an test OU with a test machine. Would love to hear the outcome.

    good luck

    bio..

  3. #3

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,156
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    it only sets the permissions; it won't create the key if it's not already there - browsing on your own machine just seems to be a way of making sure you don't mistype the (often long!) registry key

    You can use Group Policy Preferences to set registry values - there's an overview of this here: http://www.microsoft.com/downloads/d...DisplayLang=en Note that it although it refers to 2008 server you don't actually need that; the client side stuff runs on anything from XP and you can manage it from Windows Vista, 7 or Server 2008

  4. #4
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    Quote Originally Posted by srochford View Post
    it only sets the permissions; it won't create the key if it's not already there - browsing on your own machine just seems to be a way of making sure you don't mistype the (often long!) registry key
    Thanks for the info! So, the only problem with that is the registry key will be pushed down at computer startup, should I set the permissions with a batch file at login? The registry keys will have to be there first. So if I make them both startup scripts, and the permissions one happens to execute before the registry add one, then the keys will be added but no permissions will be set because the permission script already came and went because there was no keys to edit the permissions on. Is this right? If it is, is that the best way to do it? Startup script = add keys. Login script = edit permissions?

  5. #5

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,156
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    If the permissions are going to be set on keys under HKCU then you can do this with a login script but f it's HKLM then the user won't have permissions to set the permissions on the keys (and I'm guessing this is the case - you almost never need to change permissions on HKCU because users are supposed to be able to write to it!)

    What I think would work best is to use a machine startup script to create the registry key(s) and then set the permissions in the same script.

    Create a .reg file by exporting from your reg file - let's say that it's going to make changes to HKLM\Software\MySoftwareCompany and it's saved as myswsettings.reg

    Your batch file will look something like this:
    Code:
    regedit -s \\server\share\myswsettings.reg
    \\server\share\SetACL.exe -ot reg -on "hklm\software\MySoftwareCompany"  -actn ace -ace "n:users;p:full"
    The regedit bit will silently load the settings you need and then setacl will make the permissions changes.

    setacl is available on sourceforge. It's an amazingly useful piece of software and there are some pretty good examples on the web site (which really helps because it's pretty complicated!)

    The actual code there says that you are working on an Object Type registry with Object name HKLM etc. The action you are going to make is a change to an Access Control Entry (ACE) and the ACE that you want gives full Permission to a group Named users

    I'm not quite sure how you're deploying the apps to each machine but the ideal way of getting these registry keys and permissions in the right place would be to add this at install time - they're then set properly before machines get deep frozen!

  6. Thanks to srochford from:

    link470 (15th February 2010)

  7. #6
    box_l's Avatar
    Join Date
    May 2007
    Location
    Herefordshire
    Posts
    429
    Thank Post
    68
    Thanked 90 Times in 75 Posts
    Rep Power
    61
    Or subinacl.exe

    check my second post on this page, I'm stuck !! Group Policy Registry Keys..
    BoX

SHARE:
+ Post New Thread

Similar Threads

  1. Change Registry to foce program for files
    By smad in forum Windows Server 2008
    Replies: 0
    Last Post: 20th October 2008, 08:33 AM
  2. Changing permissions on a registry key
    By Wheelgunr in forum Windows
    Replies: 6
    Last Post: 18th September 2008, 02:14 PM
  3. Script To Change A Registry Key
    By DaveP in forum Windows
    Replies: 6
    Last Post: 7th March 2007, 12:57 PM
  4. Extra Registry Settings in GPO
    By Geoff in forum Windows
    Replies: 8
    Last Post: 23rd January 2006, 03:24 PM

Thread Information

Users Browsing this Thread

There are currently 2 users browsing this thread. (0 members and 2 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •