Solved

Automatic registry imports

Posted on 2002-06-10
6
170 Views
Last Modified: 2010-04-13
I would like to know if there is a way to allow a Client computer running Windows 2000 to do an automatic registry update.  Specifically, our users' logon script (from a Windows NT 4.0 Server domain) includes a line that says "Regedit /s filename.reg".  For our Win95 & Win98 machines this has worked great to make sure certain settings stay where they are supposed to.  However, several of our newer machines are Windows 2000, which gives an error message stating that it cannot access the registry when the user logs in.  Whenever an admin logs in everything runs properly, but the regular users (who are the ones we *want* to get updated) cannot import it properly.  The only way that does anything so far is to give the user local Administrator rights, but this is not practical from a security standpoint.  Any way to push the ".reg" file through without giving users admin rights?
0
Comment
Question by:jlamprey
6 Comments
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Then you need to look into the SU command, Use elvevated install rights, or change the resitry security for the sections the users need to change.


-----------
Windows 2000 has an Always install with elevated privileges Group Policy, that directs Windows Installer to always use System permissions when installing a program.

 I quote the Resource Kit:

 This policy extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned
 to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add/Remove Programs
 in Control Panel. This policy lets users install programs which require access to directories that the user might not have permission to
 view or change, including directories on highly restricted computers.

 Skilled users can take advantage of the permissions this entry grants to change their permissions and gain permanent access to
 restricted files and folders. Note that the User Configuration version of this entry is not guaranteed to be secure.

 This policy can be implemented at Computer Configuration\Administrative Templates\Windows Components\Windows
 Installer or User Configuration\Administrative Templates\Windows Components\Windows Installer.

 When enabled, Windows Installer defaults to using System privileges for the effected users' or computers' install.

 When I enabled the policy in Computer Configuration, it did an Add Value name AlwaysInstallElevated, as a
 REG_DWORD data type, and set the data value to 1, at the following keys:

 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer

 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

 HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer
------------

I hope this helps !
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
You might consider trying somthing like this
runas /profile /env \administrator "Regedit /s filename.reg"


RUNAS USAGE:

RUNAS [/profile] [/env] [/netonly] /user:<UserName> program

   /profile        if the user's profile needs to be loaded
   /env            to use current environment instead of user's.
   /netonly        use if the credentials specified are for remote access only.
   /user           <UserName> should be in form USER@DOMAIN or DOMAIN\USER
   program         command line for EXE.  See below for examples

Examples:
> runas /profile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

NOTE:  Enter user's password only when prompted.
NOTE:  USER@DOMAIN is not compatible with /netonly.


The Crazy One
0
 

Author Comment

by:jlamprey
Comment Utility
Thank you, but most of these suggestions do not work without manually typing an admin password into the machine, and the whole point is for it to be unattended.  Changing the windows installer permissions doesn't do anything - the installer doesn't even come into the picture, as it is a straight registry entry.  No matter how many times I try to give users permissions to access their own registry using the registry permissions in regedt32.exe, it will not allow them in unless an admin logs in.
0
 
LVL 63

Accepted Solution

by:
SysExpert earned 200 total points
Comment Utility
This tip may help out in general.

3063 » How can I configure the RunAs utility to NOT prompt for a password?

 "The Runas utility is primarily designed to allow administrators to logon as an ordinary user, but to invoke a seconary logon,
 without logging off, in order to run administrative tools with administrator rights and permissions."

 The RunAs utility prompts for a password when run and can NOT be pre-configured with the password.

 The Microsoft solution is to use the SU.EXE tool.

 There is another alternative, if the task may be run in the backround:

 01. Use Start / Programs / Accessories / System Tools / Scheduled Tasks to create a task.

 02. Browse for a batch file, program, or schedule CMD.EXE.

 03. Set the task to run One time only.

 04. Set the time in the past by clicking the minutes and changing them.

 05. Set the credentials of the user you want to run this background job.

 06. Check Open advanced properties for this task when I click Finish, if you need to do step 08 or 09.

 07. Press Finish.

 08. If you scheduled CMD.exe, modify the Run line on the Task tab. This will force you to re-enter the credentials.

 09. If you don't want to leave this task in Scheduled Tasks after it runs, check the Delete the task if it is not scheduled to
 run again box on the Settings tab.

 10. In Scheduled Tasks, right-click the task and press Run.
----------------------
0
 
LVL 1

Expert Comment

by:netwiz562
Comment Utility
---- CLEAN UP ----

jlamprey,
No comment has been added lately (404 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: [ Award points to SysExpert ]

Please leave any comments here within the next seven days.

¡PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

------------------------------
Rajiv Makhijani
EE Cleanup Volunteer
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now