Setting security for Registry and Filesystem (more than cacls!) by batch

Posted on 2000-04-03
Last Modified: 2013-12-28

for an unattended installation of NT-Workstation I need a way to set the permissions on Registry anmd Filesystem by performing a batch run.

For doing that, I need commandline tools  for setting the permission (freeware if possible, commercial software if necessary).

I need a too for registry permissions in general and I need a tool which can do more than the resource Kit cacls for the File System. At the filesystem I want to set the combination Read Write Delet (without execute) and read execute for restricting the users from copying executable files to the harddisk and execute those.

Thanks for help

Question by:jbreuer
  • 3
  • 2
  • 2
  • +1
LVL 23

Expert Comment

by:Tim Holman
ID: 2681394
REGADD or ADDREG - can't remember !
....can do this.
Use XCACLS to set specific permissions.
By far the best way is to use system policies, then you don't have to bother with .reg files / regkey permissions.

Expert Comment

ID: 2682211
Micro soft has an nifty app called Security Configuration Manager.  
Your best bet for registry is to use policies. NT ZAK has a good .adm template for that.

DO NOT use the zero admin NTFS script as is, it can screw things up nicely.

On the site they have a little script called securent. There are several batch files.

You can check out the ZAK and securent batch files and edit them to your liking. be very careful though.

Author Comment

ID: 2692752
Adjusted points from 100 to 200
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.


Author Comment

ID: 2692753
Okay, the xcacls tool solves the first part of my problem but I'm still looking for a way to set the registry rights within a batch procedure.
LVL 23

Expert Comment

by:Tim Holman
ID: 2692812
Have you tried REGINI ?
That lets you set ACLs on registry keys.
Check the Resource Kit Tools Overview for details.

Expert Comment

ID: 2754742
for ntfs use xcacls.exe, for services SRVSEC.EXE, for shares SHRSEC.EXE (all from NT Resource Kit). For Registy Keys (and other NT objects), you can use SUBINACL.EXE (by Luc Talpe/Microsoft). I guess, this one is on NT Res Kit, too.


Author Comment

ID: 2773637
I can't see how SUBINACL.exe should be able to set ACL on specific registry keys or Hives.
It only transfers Information from user to user or domain to domain.
How would I use this for my purpose ??

Accepted Solution

rasty earned 200 total points
ID: 2773855
You can edit registry ACLs with subinacl.exe...

SubInAcl Editing Features
SubInAcl allows you to modify each part of a a security descriptor:

See /owner=SID or /setowner=SID
primary group
see /setprimarygroup=GroupSID
system ACL (SubInAcl name = Audit ACL) with access control entries or ACEs (SubInAcl name = AAce = Audit ACE)
see /audit /aace=xxx
discretionary ACL (SubInAcl name = Perm ACL ) with Access Control Entries (SubInAcl name= PAce = Perm ACE)
see /perm /pace=xxx, /revoke=SID, /grant=SID=Access, and /deny=SID

You can use secadd for giving a user registry access:

secadd [-l KeyName] [-r \\ServerName KeyName] [-l -a KeyName UserName] [-r -a \\ServerName KeyName UserName]

You can still buy ntsec from They have good tools for modifying acls.


Featured Post

ScreenConnect 6.0 Free Trial

Check out the updates in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI that improves session organization and overall user experience. See the enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

823 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question