[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3031
  • Last Modified:

Changing Registry Permissions with SubInACL.exe

Apparently the winexit.scr screen saver doesn't work for users.

http://support.microsoft.com/?kbid=156677

I need to go in and change the registry key permissions.

Manually, this is a no-goer, but I could run a special one-time only script to do it. Apparently, I need to use some software called SubInACL.exe

Can anyone please provide some simple instrutions as to how I might write this script?  

Thanks

0
Jason210
Asked:
Jason210
  • 11
  • 3
2 Solutions
 
grsteedCommented:
Try this

1. Download and install subinacl from:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en 

2. Create a file named reset.cmd in C:\Program Files\Windows Resource
Kits\Tools folder.

3. Edit the reset.cmd file with the following content.

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=systems=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f

4. Enter into CMD prompt.

5. Enter the following commands one at a time and click Enter.

cd\
cd "C:\Program Files\Windows Resource Kits\Tools"
reset.cmd

6. After a few minutes by processing subinacl, please test the problem

Cheers,

Gary

again.
0
 
Jason210Author Commented:
Thanks Gary.

This is all new stuff to me - and before I try or test anything I need to fully understand it first.

I'll just explain the system. We have a system with a Windows 2003 server, and about 40 workstations and 100 users. The users use the workstations, and change around a lot. Sometimes they forget to log off. So winexit.scr is going to be the solution to that. Winexit.scr has been deployed, and the appropriate GPs to utilise it have been enabled and configured. There remains the problem registry key permissions issue for each user.

Can you explain what this reset.cmd file is doing, where it should be executed (on each workstation?) I'm not very good with the registry. This appears to be granting full rights to administrators and system, but those levels should already have those rights anyway. I just don't see how it would help since, it's non-administrators who must have access. The MS article states:

In order for non-administrators to be able to use WINEXIT, you must add Set Value and Create Subkey permissions for the group Everyone on the following registry key:
HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini

Many thanks
Jason

0
 
Jason210Author Commented:
Also, why did you put them in a .cmd file instead of a .bat file?

0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
Jason210Author Commented:
HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini

I can't even find a key in there called IniFileMappings...
0
 
oBdACommented:
Are you sure you're looking under "Windows NT", and not "Windows"?
Anyway, that would be these two commands (you can copy and paste them into a .bat or .cmd file):
subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=S
subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=C
S is "Set Value", C is "Create Subkey"

.bat are batch files that can run in DOS/Win9x as well; .cmd are batch files that will only be recognized by NT based OSs. You should use the .cmd extension when using commands that don't exist in DOS; NT will run them in .bat files as well, though, but it's better practice to use .cmd for NT specific batch files.
0
 
Jason210Author Commented:
Thanks oBdA!!

I found it the subkeys. I understand the subinacl commands you posted - that makes complete sense.

Now I'm stuck with one last thing. What easiest way to deploy these changes on each machine?

If drop the  subinacl.exe file in a share directory on the server, would something like this work if tagged on to user groups' the logon script?

\\servername\sharename\path\subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=S
\\servername\sharename\path\subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=C

It seems a bit untidy to do this way after all the machines have had the change made, it would be have no effect.


0
 
Jason210Author Commented:
In summary I need to run a "subinacl dependant" script once on each workstation.
0
 
oBdACommented:
Assuming you have an AD domain, you can deploy the script (after it's tested) using a computer startup script (NOT a user logon script).
Just put the script into a share, then enter the UNC path to the script (\\SomeServer\SomeShare\winexitpermissions.cmd) as startup script in a computer GPO linked to the OU where your workstations are.
0
 
Jason210Author Commented:
Thanks

Everything seems to be working except that the winexit.scr, when copied, doesn't retain it's configured settings...and I guess that's because those settings are held in the local registry rather than copied with the file. The "force quit" and "message" were the two things I wanted to configure.

You've posted an amd script up here before that fixes these settings (amongst other things), last year. I was going to implement this winexit.scr back then, but it was too complicated. Now I'm halfway there I may as well finish the job.
0
 
Jason210Author Commented:
This is what you posted last time:

====8<----[WinExit.adm]----
CLASS USER

CATEGORY !!AdditionalSettings

 CATEGORY !!Desktop

   CATEGORY !!WinExitScr
     KEYNAME "Control Panel\Screen Saver.Logoff"
     POLICY !!ForceLogoff
       VALUENAME ForceLogoff
       VALUEON "1"
        VALUEOFF "0"
     END POLICY
     POLICY !!CountDownTimer
       PART !!WarningTime TEXT END PART
       PART " " NUMERIC TXTCONVERT REQUIRED
          MIN 0 MAX 900 SPIN 60
         VALUENAME CountDownTimer
         DEFAULT "300"
       END PART
     END POLICY

     POLICY !!DialogMessage
       PART !!Message TEXT END PART
       PART " "
         EDITTEXT
         DEFAULT !!DefaultMessage
         VALUENAME DialogMessage
       END PART
     END POLICY

   END CATEGORY ; !!WinExitScr

 END CATEGORY ; !!Desktop

END CATEGORY ; !!AdditionalSettings

[strings]
Desktop=Desktop
AdditionalSettings=Additional settings
WinExitScr=Settings for WinExit screen saver
ForceLogoff=Force running applications to close
CountDownTimer=Warn before logoff
WarningTime=Seconds to warn before logoff:
DialogMessage=Display message before logoff
Message=Message:
DefaultMessage=You will be logged off. Press cancel to abort.
====8<----[WinExit.adm]----

I'm not pretending to understand that, so here are a few questions. What bits do I change to enable force log off and a simple configure the text message?
0
 
Jason210Author Commented:
Ok, I ┬┤put that in a text file and tried renamed it .adm, then tried to add it to the Administrative Templates, but it came up with an error on line 2, error 51, unexpected keyword.

It said:

Found: ====8<----[WinExit.adm]----
Expected: CLASS, CATEGORY, [strings]

So I assume the frilly bit "====8<----[WinExit.adm]----" is not ignored but must be phsycally removed?
0
 
oBdACommented:
That's a template for the GP editor. Save it as WinExit.adm (excluding the two cut lines) in %Systemroot%\inf on your DC. Create a new GPO (or edit an existing one), right-click "Administrative Templates" under User Configuration, choose "Add/Remove templates", and add WinExit.adm.
Right-click "Administrative Templates" again, and uncheck the box "Only show policies that can be fully managed" in the View > Filter menu.
0
 
Jason210Author Commented:
Ah lol --- I didn't see it before, but the 8< is supposed to be a pair of scissors.

Thanks. Your a superstar!
0
 
Jason210Author Commented:
Does subinacl.exe need to be present or installed on the local machines too?

Everything works apart from this. At the moment, both subinacl.exe and the script are in a share on the server, as oBdA suggested. But locally, the command subinacl is not recognised, so the script fails.

0
 
Jason210Author Commented:
Ok, the permissions thing, so I'm posting a continuation:

http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21903973.html

Thanks.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 11
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now