Change registry permissions via GPO

Printable View

11th February 2010, 08:35 PM
link470

Change registry permissions via GPO

Alright, I've got some applications here that I need to install. Instead of installing them on each individual staff machine that needs the software and have to worry about which one has it so when I re-image the staff machines they all get the software they used to have back, I've been creating an application network drive. I have a script that maps the appropriate desktop icon from each program within the network drive to the user's desktop. So far, this works great. I'm just in the testing phase.

However, we have some of these smaller applications that need to activate the first time the application is ran on each computer, or every time the application is ran for the first time that day [if the machines have Deep Freeze]. So I found out that if I export the key[s] from one machine's registry that I need for the application to work [like my own desktop in my office, the one I used to install the software on \\server\applicationshare], I can push that registry file down and install it into the systems registry with a startup script. That's great, and it works for some apps. However we have one application that needs to write back to the registry and edit the key that I push down when the computer starts up, to say the activation completed successfully on that particular machine. [This is all allowed by the way, it's a site license]. I get an error along the lines of "your key was sent [the key I pushed down in the registry] and was successfully verified, but the application cannot write to the registry". Obviously the user is a standard "user" and not an administrator, so my question is, how can I push down a registry key AND set it's permissions so users can write?

I found this:

Quote:

Originally Posted by Windows IT Pro Article

How do I use Group Policy to set Registry permissions?
1. Open the policy you wish to use in the Group Policy Editor.

2. Navigate to Computer Configuration / Windows Settings / Security Settings / Registry.

3. Right-click Registry and press Add Key.

4. Browse to the registry key whose permissions you wish to configure, select it, and press OK.

5. In the Database Security for <KeyName> dialog, set the permissions and press Apply and OK.

6. In the Add Object dialog, make your selection and press OK.

Does that work? If so, I'm confused. What exactly does that do? If I were to follow that on my desktop here, the way I see it is that I would choose a registry key that's already on my system [like the keys from the activated software I installed to the application drive], and I'd set permissions for who can access MY key...is that how it works? Or does that extract my key and embed it in the policy somewhere and then deploy the key with those permissions? Or does it take the permissions only, and apply it to the identical keys if they exist on the machines that the gpo runs on?

I may in fact be very close to my end goal if those instructions are correct and that's all I have to do. I just want to make sure I understand what's going on completely and that I'm doing things right.

Thanks in advance :D
12th February 2010, 07:24 AM
bio

Quote:

Originally Posted by link470

Or does that extract my key and embed it in the policy somewhere and then deploy the key with those permissions? Or does it take the permissions only, and apply it to the identical keys if they exist on the machines that the gpo runs on?

Its either of these two. My guess it will be the first one :) based on creating custom ADM files my self. If an key didn't exist it would create the key automatically..... .. but to be sure i would simply try it out on an test OU with a test machine. Would love to hear the outcome.

good luck

bio..
12th February 2010, 08:05 AM
srochford

it only sets the permissions; it won't create the key if it's not already there - browsing on your own machine just seems to be a way of making sure you don't mistype the (often long!) registry key

You can use Group Policy Preferences to set registry values - there's an overview of this here: http://www.microsoft.com/downloads/d...DisplayLang=en Note that it although it refers to 2008 server you don't actually need that; the client side stuff runs on anything from XP and you can manage it from Windows Vista, 7 or Server 2008
12th February 2010, 07:55 PM
link470

Quote:

Originally Posted by srochford

it only sets the permissions; it won't create the key if it's not already there - browsing on your own machine just seems to be a way of making sure you don't mistype the (often long!) registry key

Thanks for the info! So, the only problem with that is the registry key will be pushed down at computer startup, should I set the permissions with a batch file at login? The registry keys will have to be there first. So if I make them both startup scripts, and the permissions one happens to execute before the registry add one, then the keys will be added but no permissions will be set because the permission script already came and went because there was no keys to edit the permissions on. Is this right? If it is, is that the best way to do it? Startup script = add keys. Login script = edit permissions?
14th February 2010, 06:24 PM
srochford

If the permissions are going to be set on keys under HKCU then you can do this with a login script but f it's HKLM then the user won't have permissions to set the permissions on the keys (and I'm guessing this is the case - you almost never need to change permissions on HKCU because users are supposed to be able to write to it!)

What I think would work best is to use a machine startup script to create the registry key(s) and then set the permissions in the same script.

Create a .reg file by exporting from your reg file - let's say that it's going to make changes to HKLM\Software\MySoftwareCompany and it's saved as myswsettings.reg

Your batch file will look something like this:

Code:

regedit -s \\server\share\myswsettings.reg \\server\share\SetACL.exe -ot reg -on "hklm\software\MySoftwareCompany" -actn ace -ace "n:users;p:full"

The regedit bit will silently load the settings you need and then setacl will make the permissions changes.

setacl is available on sourceforge. It's an amazingly useful piece of software and there are some pretty good examples on the web site (which really helps because it's pretty complicated!)

The actual code there says that you are working on an Object Type registry with Object name HKLM etc. The action you are going to make is a change to an Access Control Entry (ACE) and the ACE that you want gives full Permission to a group Named users

I'm not quite sure how you're deploying the apps to each machine but the ideal way of getting these registry keys and permissions in the right place would be to add this at install time - they're then set properly before machines get deep frozen!
14th February 2010, 07:24 PM
box_l

Or subinacl.exe

check my second post on this page, http://www.edugeek.net/forums/window...ry-keys-2.html..
BoX