Windows Thread, Change registry permissions via GPO in Technical; Alright, I've got some applications here that I need to install. Instead of installing them on each individual staff machine ...
11th February 2010, 08:35 PM #1
Change registry permissions via GPO
Alright, I've got some applications here that I need to install. Instead of installing them on each individual staff machine that needs the software and have to worry about which one has it so when I re-image the staff machines they all get the software they used to have back, I've been creating an application network drive. I have a script that maps the appropriate desktop icon from each program within the network drive to the user's desktop. So far, this works great. I'm just in the testing phase.
However, we have some of these smaller applications that need to activate the first time the application is ran on each computer, or every time the application is ran for the first time that day [if the machines have Deep Freeze]. So I found out that if I export the key[s] from one machine's registry that I need for the application to work [like my own desktop in my office, the one I used to install the software on \\server\applicationshare], I can push that registry file down and install it into the systems registry with a startup script. That's great, and it works for some apps. However we have one application that needs to write back to the registry and edit the key that I push down when the computer starts up, to say the activation completed successfully on that particular machine. [This is all allowed by the way, it's a site license]. I get an error along the lines of "your key was sent [the key I pushed down in the registry] and was successfully verified, but the application cannot write to the registry". Obviously the user is a standard "user" and not an administrator, so my question is, how can I push down a registry key AND set it's permissions so users can write?
I found this:
Does that work? If so, I'm confused. What exactly does that do? If I were to follow that on my desktop here, the way I see it is that I would choose a registry key that's already on my system [like the keys from the activated software I installed to the application drive], and I'd set permissions for who can access MY key...is that how it works? Or does that extract my key and embed it in the policy somewhere and then deploy the key with those permissions? Or does it take the permissions only, and apply it to the identical keys if they exist on the machines that the gpo runs on?
Originally Posted by Windows IT Pro Article
I may in fact be very close to my end goal if those instructions are correct and that's all I have to do. I just want to make sure I understand what's going on completely and that I'm doing things right.
Thanks in advance
IDG Tech News
12th February 2010, 07:24 AM #2
Its either of these two. My guess it will be the first one based on creating custom ADM files my self. If an key didn't exist it would create the key automatically..... .. but to be sure i would simply try it out on an test OU with a test machine. Would love to hear the outcome.
Originally Posted by link470
12th February 2010, 08:05 AM #3
it only sets the permissions; it won't create the key if it's not already there - browsing on your own machine just seems to be a way of making sure you don't mistype the (often long!) registry key
You can use Group Policy Preferences to set registry values - there's an overview of this here: http://www.microsoft.com/downloads/d...DisplayLang=en Note that it although it refers to 2008 server you don't actually need that; the client side stuff runs on anything from XP and you can manage it from Windows Vista, 7 or Server 2008
12th February 2010, 07:55 PM #4
Thanks for the info! So, the only problem with that is the registry key will be pushed down at computer startup, should I set the permissions with a batch file at login? The registry keys will have to be there first. So if I make them both startup scripts, and the permissions one happens to execute before the registry add one, then the keys will be added but no permissions will be set because the permission script already came and went because there was no keys to edit the permissions on. Is this right? If it is, is that the best way to do it? Startup script = add keys. Login script = edit permissions?
Originally Posted by srochford
14th February 2010, 06:24 PM #5
If the permissions are going to be set on keys under HKCU then you can do this with a login script but f it's HKLM then the user won't have permissions to set the permissions on the keys (and I'm guessing this is the case - you almost never need to change permissions on HKCU because users are supposed to be able to write to it!)
What I think would work best is to use a machine startup script to create the registry key(s) and then set the permissions in the same script.
Create a .reg file by exporting from your reg file - let's say that it's going to make changes to HKLM\Software\MySoftwareCompany and it's saved as myswsettings.reg
Your batch file will look something like this:
The regedit bit will silently load the settings you need and then setacl will make the permissions changes.
regedit -s \\server\share\myswsettings.reg
\\server\share\SetACL.exe -ot reg -on "hklm\software\MySoftwareCompany" -actn ace -ace "n:users;p:full"
setacl is available on sourceforge. It's an amazingly useful piece of software and there are some pretty good examples on the web site (which really helps because it's pretty complicated!)
The actual code there says that you are working on an Object Type registry with Object name HKLM etc. The action you are going to make is a change to an Access Control Entry (ACE) and the ACE that you want gives full Permission to a group Named users
I'm not quite sure how you're deploying the apps to each machine but the ideal way of getting these registry keys and permissions in the right place would be to add this at install time - they're then set properly before machines get deep frozen!
Thanks to srochford from:
link470 (15th February 2010)
14th February 2010, 07:24 PM #6
check my second post on this page, I'm stuck !! Group Policy Registry Keys..
By smad in forum Windows Server 2008
Last Post: 20th October 2008, 08:33 AM
By Wheelgunr in forum Windows
Last Post: 18th September 2008, 02:14 PM
By DaveP in forum Windows
Last Post: 7th March 2007, 12:57 PM
By Geoff in forum Windows
Last Post: 23rd January 2006, 03:24 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)