Solved

Changing Registry Permissions with SubInACL.exe

Posted on 2006-06-29
15
2,781 Views
Last Modified: 2009-05-05
Apparently the winexit.scr screen saver doesn't work for users.

http://support.microsoft.com/?kbid=156677

I need to go in and change the registry key permissions.

Manually, this is a no-goer, but I could run a special one-time only script to do it. Apparently, I need to use some software called SubInACL.exe

Can anyone please provide some simple instrutions as to how I might write this script?  

Thanks

0
Comment
Question by:Jason210
  • 11
  • 3
15 Comments
 
LVL 11

Expert Comment

by:grsteed
ID: 17009272
Try this

1. Download and install subinacl from:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

2. Create a file named reset.cmd in C:\Program Files\Windows Resource
Kits\Tools folder.

3. Edit the reset.cmd file with the following content.

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=systems=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f

4. Enter into CMD prompt.

5. Enter the following commands one at a time and click Enter.

cd\
cd "C:\Program Files\Windows Resource Kits\Tools"
reset.cmd

6. After a few minutes by processing subinacl, please test the problem

Cheers,

Gary

again.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17009426
Thanks Gary.

This is all new stuff to me - and before I try or test anything I need to fully understand it first.

I'll just explain the system. We have a system with a Windows 2003 server, and about 40 workstations and 100 users. The users use the workstations, and change around a lot. Sometimes they forget to log off. So winexit.scr is going to be the solution to that. Winexit.scr has been deployed, and the appropriate GPs to utilise it have been enabled and configured. There remains the problem registry key permissions issue for each user.

Can you explain what this reset.cmd file is doing, where it should be executed (on each workstation?) I'm not very good with the registry. This appears to be granting full rights to administrators and system, but those levels should already have those rights anyway. I just don't see how it would help since, it's non-administrators who must have access. The MS article states:

In order for non-administrators to be able to use WINEXIT, you must add Set Value and Create Subkey permissions for the group Everyone on the following registry key:
HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini

Many thanks
Jason

0
 
LVL 11

Author Comment

by:Jason210
ID: 17009499
Also, why did you put them in a .cmd file instead of a .bat file?

0
 
LVL 11

Author Comment

by:Jason210
ID: 17009685
HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini

I can't even find a key in there called IniFileMappings...
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 17009770
Are you sure you're looking under "Windows NT", and not "Windows"?
Anyway, that would be these two commands (you can copy and paste them into a .bat or .cmd file):
subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=S
subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=C
S is "Set Value", C is "Create Subkey"

.bat are batch files that can run in DOS/Win9x as well; .cmd are batch files that will only be recognized by NT based OSs. You should use the .cmd extension when using commands that don't exist in DOS; NT will run them in .bat files as well, though, but it's better practice to use .cmd for NT specific batch files.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17009992
Thanks oBdA!!

I found it the subkeys. I understand the subinacl commands you posted - that makes complete sense.

Now I'm stuck with one last thing. What easiest way to deploy these changes on each machine?

If drop the  subinacl.exe file in a share directory on the server, would something like this work if tagged on to user groups' the logon script?

\\servername\sharename\path\subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=S
\\servername\sharename\path\subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=C

It seems a bit untidy to do this way after all the machines have had the change made, it would be have no effect.


0
 
LVL 11

Author Comment

by:Jason210
ID: 17010058
In summary I need to run a "subinacl dependant" script once on each workstation.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 83

Expert Comment

by:oBdA
ID: 17010116
Assuming you have an AD domain, you can deploy the script (after it's tested) using a computer startup script (NOT a user logon script).
Just put the script into a share, then enter the UNC path to the script (\\SomeServer\SomeShare\winexitpermissions.cmd) as startup script in a computer GPO linked to the OU where your workstations are.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17010878
Thanks

Everything seems to be working except that the winexit.scr, when copied, doesn't retain it's configured settings...and I guess that's because those settings are held in the local registry rather than copied with the file. The "force quit" and "message" were the two things I wanted to configure.

You've posted an amd script up here before that fixes these settings (amongst other things), last year. I was going to implement this winexit.scr back then, but it was too complicated. Now I'm halfway there I may as well finish the job.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17010931
This is what you posted last time:

====8<----[WinExit.adm]----
CLASS USER

CATEGORY !!AdditionalSettings

 CATEGORY !!Desktop

   CATEGORY !!WinExitScr
     KEYNAME "Control Panel\Screen Saver.Logoff"
     POLICY !!ForceLogoff
       VALUENAME ForceLogoff
       VALUEON "1"
        VALUEOFF "0"
     END POLICY
     POLICY !!CountDownTimer
       PART !!WarningTime TEXT END PART
       PART " " NUMERIC TXTCONVERT REQUIRED
          MIN 0 MAX 900 SPIN 60
         VALUENAME CountDownTimer
         DEFAULT "300"
       END PART
     END POLICY

     POLICY !!DialogMessage
       PART !!Message TEXT END PART
       PART " "
         EDITTEXT
         DEFAULT !!DefaultMessage
         VALUENAME DialogMessage
       END PART
     END POLICY

   END CATEGORY ; !!WinExitScr

 END CATEGORY ; !!Desktop

END CATEGORY ; !!AdditionalSettings

[strings]
Desktop=Desktop
AdditionalSettings=Additional settings
WinExitScr=Settings for WinExit screen saver
ForceLogoff=Force running applications to close
CountDownTimer=Warn before logoff
WarningTime=Seconds to warn before logoff:
DialogMessage=Display message before logoff
Message=Message:
DefaultMessage=You will be logged off. Press cancel to abort.
====8<----[WinExit.adm]----

I'm not pretending to understand that, so here are a few questions. What bits do I change to enable force log off and a simple configure the text message?
0
 
LVL 11

Author Comment

by:Jason210
ID: 17011069
Ok, I ´put that in a text file and tried renamed it .adm, then tried to add it to the Administrative Templates, but it came up with an error on line 2, error 51, unexpected keyword.

It said:

Found: ====8<----[WinExit.adm]----
Expected: CLASS, CATEGORY, [strings]

So I assume the frilly bit "====8<----[WinExit.adm]----" is not ignored but must be phsycally removed?
0
 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 17011095
That's a template for the GP editor. Save it as WinExit.adm (excluding the two cut lines) in %Systemroot%\inf on your DC. Create a new GPO (or edit an existing one), right-click "Administrative Templates" under User Configuration, choose "Add/Remove templates", and add WinExit.adm.
Right-click "Administrative Templates" again, and uncheck the box "Only show policies that can be fully managed" in the View > Filter menu.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17011158
Ah lol --- I didn't see it before, but the 8< is supposed to be a pair of scissors.

Thanks. Your a superstar!
0
 
LVL 11

Author Comment

by:Jason210
ID: 17012174
Does subinacl.exe need to be present or installed on the local machines too?

Everything works apart from this. At the moment, both subinacl.exe and the script are in a share on the server, as oBdA suggested. But locally, the command subinacl is not recognised, so the script fails.

0
 
LVL 11

Author Comment

by:Jason210
ID: 17012681
Ok, the permissions thing, so I'm posting a continuation:

http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21903973.html

Thanks.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now