Jason210
asked on
Changing Registry Permissions with SubInACL.exe
Apparently the winexit.scr screen saver doesn't work for users.
http://support.microsoft.com/?kbid=156677
I need to go in and change the registry key permissions.
Manually, this is a no-goer, but I could run a special one-time only script to do it. Apparently, I need to use some software called SubInACL.exe
Can anyone please provide some simple instrutions as to how I might write this script?
Thanks
http://support.microsoft.com/?kbid=156677
I need to go in and change the registry key permissions.
Manually, this is a no-goer, but I could run a special one-time only script to do it. Apparently, I need to use some software called SubInACL.exe
Can anyone please provide some simple instrutions as to how I might write this script?
Thanks
ASKER
Thanks Gary.
This is all new stuff to me - and before I try or test anything I need to fully understand it first.
I'll just explain the system. We have a system with a Windows 2003 server, and about 40 workstations and 100 users. The users use the workstations, and change around a lot. Sometimes they forget to log off. So winexit.scr is going to be the solution to that. Winexit.scr has been deployed, and the appropriate GPs to utilise it have been enabled and configured. There remains the problem registry key permissions issue for each user.
Can you explain what this reset.cmd file is doing, where it should be executed (on each workstation?) I'm not very good with the registry. This appears to be granting full rights to administrators and system, but those levels should already have those rights anyway. I just don't see how it would help since, it's non-administrators who must have access. The MS article states:
In order for non-administrators to be able to use WINEXIT, you must add Set Value and Create Subkey permissions for the group Everyone on the following registry key:
HKEY_Local_Machine\Softwar e\Microsof t\Windows NT\CurrentVersion\IniFileM appings\Co ntrol.ini
Many thanks
Jason
This is all new stuff to me - and before I try or test anything I need to fully understand it first.
I'll just explain the system. We have a system with a Windows 2003 server, and about 40 workstations and 100 users. The users use the workstations, and change around a lot. Sometimes they forget to log off. So winexit.scr is going to be the solution to that. Winexit.scr has been deployed, and the appropriate GPs to utilise it have been enabled and configured. There remains the problem registry key permissions issue for each user.
Can you explain what this reset.cmd file is doing, where it should be executed (on each workstation?) I'm not very good with the registry. This appears to be granting full rights to administrators and system, but those levels should already have those rights anyway. I just don't see how it would help since, it's non-administrators who must have access. The MS article states:
In order for non-administrators to be able to use WINEXIT, you must add Set Value and Create Subkey permissions for the group Everyone on the following registry key:
HKEY_Local_Machine\Softwar
Many thanks
Jason
ASKER
Also, why did you put them in a .cmd file instead of a .bat file?
ASKER
HKEY_Local_Machine\Softwar e\Microsof t\Windows NT\CurrentVersion\IniFileM appings\Co ntrol.ini
I can't even find a key in there called IniFileMappings...
I can't even find a key in there called IniFileMappings...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks oBdA!!
I found it the subkeys. I understand the subinacl commands you posted - that makes complete sense.
Now I'm stuck with one last thing. What easiest way to deploy these changes on each machine?
If drop the subinacl.exe file in a share directory on the server, would something like this work if tagged on to user groups' the logon script?
\\servername\sharename\pat h\subinacl /subkeyreg "HKEY_Local_Machine\Softwa re\Microso ft\Windows NT\CurrentVersion\IniFileM appings\Co ntrol.ini" /grant=Everyone=S
\\servername\sharename\pat h\subinacl /subkeyreg "HKEY_Local_Machine\Softwa re\Microso ft\Windows NT\CurrentVersion\IniFileM appings\Co ntrol.ini" /grant=Everyone=C
It seems a bit untidy to do this way after all the machines have had the change made, it would be have no effect.
I found it the subkeys. I understand the subinacl commands you posted - that makes complete sense.
Now I'm stuck with one last thing. What easiest way to deploy these changes on each machine?
If drop the subinacl.exe file in a share directory on the server, would something like this work if tagged on to user groups' the logon script?
\\servername\sharename\pat
\\servername\sharename\pat
It seems a bit untidy to do this way after all the machines have had the change made, it would be have no effect.
ASKER
In summary I need to run a "subinacl dependant" script once on each workstation.
Assuming you have an AD domain, you can deploy the script (after it's tested) using a computer startup script (NOT a user logon script).
Just put the script into a share, then enter the UNC path to the script (\\SomeServer\SomeShare\wi nexitpermi ssions.cmd ) as startup script in a computer GPO linked to the OU where your workstations are.
Just put the script into a share, then enter the UNC path to the script (\\SomeServer\SomeShare\wi
ASKER
Thanks
Everything seems to be working except that the winexit.scr, when copied, doesn't retain it's configured settings...and I guess that's because those settings are held in the local registry rather than copied with the file. The "force quit" and "message" were the two things I wanted to configure.
You've posted an amd script up here before that fixes these settings (amongst other things), last year. I was going to implement this winexit.scr back then, but it was too complicated. Now I'm halfway there I may as well finish the job.
Everything seems to be working except that the winexit.scr, when copied, doesn't retain it's configured settings...and I guess that's because those settings are held in the local registry rather than copied with the file. The "force quit" and "message" were the two things I wanted to configure.
You've posted an amd script up here before that fixes these settings (amongst other things), last year. I was going to implement this winexit.scr back then, but it was too complicated. Now I'm halfway there I may as well finish the job.
ASKER
This is what you posted last time:
====8<----[WinExit.adm]--- -
CLASS USER
CATEGORY !!AdditionalSettings
CATEGORY !!Desktop
CATEGORY !!WinExitScr
KEYNAME "Control Panel\Screen Saver.Logoff"
POLICY !!ForceLogoff
VALUENAME ForceLogoff
VALUEON "1"
VALUEOFF "0"
END POLICY
POLICY !!CountDownTimer
PART !!WarningTime TEXT END PART
PART " " NUMERIC TXTCONVERT REQUIRED
MIN 0 MAX 900 SPIN 60
VALUENAME CountDownTimer
DEFAULT "300"
END PART
END POLICY
POLICY !!DialogMessage
PART !!Message TEXT END PART
PART " "
EDITTEXT
DEFAULT !!DefaultMessage
VALUENAME DialogMessage
END PART
END POLICY
END CATEGORY ; !!WinExitScr
END CATEGORY ; !!Desktop
END CATEGORY ; !!AdditionalSettings
[strings]
Desktop=Desktop
AdditionalSettings=Additio nal settings
WinExitScr=Settings for WinExit screen saver
ForceLogoff=Force running applications to close
CountDownTimer=Warn before logoff
WarningTime=Seconds to warn before logoff:
DialogMessage=Display message before logoff
Message=Message:
DefaultMessage=You will be logged off. Press cancel to abort.
====8<----[WinExit.adm]--- -
I'm not pretending to understand that, so here are a few questions. What bits do I change to enable force log off and a simple configure the text message?
====8<----[WinExit.adm]---
CLASS USER
CATEGORY !!AdditionalSettings
CATEGORY !!Desktop
CATEGORY !!WinExitScr
KEYNAME "Control Panel\Screen Saver.Logoff"
POLICY !!ForceLogoff
VALUENAME ForceLogoff
VALUEON "1"
VALUEOFF "0"
END POLICY
POLICY !!CountDownTimer
PART !!WarningTime TEXT END PART
PART " " NUMERIC TXTCONVERT REQUIRED
MIN 0 MAX 900 SPIN 60
VALUENAME CountDownTimer
DEFAULT "300"
END PART
END POLICY
POLICY !!DialogMessage
PART !!Message TEXT END PART
PART " "
EDITTEXT
DEFAULT !!DefaultMessage
VALUENAME DialogMessage
END PART
END POLICY
END CATEGORY ; !!WinExitScr
END CATEGORY ; !!Desktop
END CATEGORY ; !!AdditionalSettings
[strings]
Desktop=Desktop
AdditionalSettings=Additio
WinExitScr=Settings for WinExit screen saver
ForceLogoff=Force running applications to close
CountDownTimer=Warn before logoff
WarningTime=Seconds to warn before logoff:
DialogMessage=Display message before logoff
Message=Message:
DefaultMessage=You will be logged off. Press cancel to abort.
====8<----[WinExit.adm]---
I'm not pretending to understand that, so here are a few questions. What bits do I change to enable force log off and a simple configure the text message?
ASKER
Ok, I ´put that in a text file and tried renamed it .adm, then tried to add it to the Administrative Templates, but it came up with an error on line 2, error 51, unexpected keyword.
It said:
Found: ====8<----[WinExit.adm]--- -
Expected: CLASS, CATEGORY, [strings]
So I assume the frilly bit "====8<----[WinExit.adm]-- --" is not ignored but must be phsycally removed?
It said:
Found: ====8<----[WinExit.adm]---
Expected: CLASS, CATEGORY, [strings]
So I assume the frilly bit "====8<----[WinExit.adm]--
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ah lol --- I didn't see it before, but the 8< is supposed to be a pair of scissors.
Thanks. Your a superstar!
Thanks. Your a superstar!
ASKER
Does subinacl.exe need to be present or installed on the local machines too?
Everything works apart from this. At the moment, both subinacl.exe and the script are in a share on the server, as oBdA suggested. But locally, the command subinacl is not recognised, so the script fails.
Everything works apart from this. At the moment, both subinacl.exe and the script are in a share on the server, as oBdA suggested. But locally, the command subinacl is not recognised, so the script fails.
ASKER
Ok, the permissions thing, so I'm posting a continuation:
https://www.experts-exchange.com/questions/21903973/Changing-Registry-Permissions-with-SubInACL-exe-Part-2.html
Thanks.
https://www.experts-exchange.com/questions/21903973/Changing-Registry-Permissions-with-SubInACL-exe-Part-2.html
Thanks.
1. Download and install subinacl from:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en
2. Create a file named reset.cmd in C:\Program Files\Windows Resource
Kits\Tools folder.
3. Edit the reset.cmd file with the following content.
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=systems=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f
4. Enter into CMD prompt.
5. Enter the following commands one at a time and click Enter.
cd\
cd "C:\Program Files\Windows Resource Kits\Tools"
reset.cmd
6. After a few minutes by processing subinacl, please test the problem
Cheers,
Gary
again.