Solved

Changing Registry Permissions with SubInACL.exe - Part 2

Posted on 2006-06-29
15
2,293 Views
Last Modified: 2010-05-26
I thought I had this solve but it's not solved:

We have a system with a Windows 2003 server, and about 40 workstations and 100 users. The users use the workstations, and change around a lot. Sometimes they forget to log off. So winexit.scr is going to be the solution to that. Winexit.scr has been deployed, and the appropriate GPs to utilise it have been enabled and configured. There remains the problem registry key permissions issue for each user. Apparently the winexit.scr screen saver only works for administrators.

http://support.microsoft.com/?kbid=156677

I need to go in and change the registry subkey permissions, so it works for users. Manually, this is a no-goer, so I've been trying to do it with subinacl.exe

Firslty, I need to know, does subinacl need to be install / present on the local machine? If so where do I need to put it so that it will work with a startup script? Currently, the script and the subinacl.exe file are on a server share.

Secondly, is this syntax ok?

subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=S
subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=C

I've tested it with the pause function, and I notice there is a syntax error and a report that "The System cannot find the file specified", although it says under "done" that something has been modified.

Thirdly, what happens if the clients use Swedish version of windows? I think that the "everyone" needs to be in the local language, does it not?
0
Comment
Question by:Jason210
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
15 Comments
 
LVL 84

Expert Comment

by:oBdA
ID: 17012858
If they're in the same share, it's fine.
The error is due to a typo in the KB article; the correct path is ...\IniFileMapping\..., without "s" at the end.
subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=Everyone=S
subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=Everyone=C

If you're using a Swedish version, then you indeed need to replace the Everyone with its Swedish equivalent (whatever that might be ...).
0
 
LVL 11

Author Comment

by:Jason210
ID: 17013606
Thanks - so there's still hope then. I'll give it a go tomorrow when I'm back at work. Plan B was to make the changes manually - something I was dreading.

The Swedish equivalnet is  "Alla" btw.



0
 
LVL 11

Author Comment

by:Jason210
ID: 17013653
>If they're in the same share, it's fine

You're 100% sure?

I did a test on a workstation by browsing to the share, that contained both the script and the subinacl.exe, and executed the script by double-clicking on it. I had already put a pause in at the end of the script, to check for errors. You know what? It said that it didn't recognise the command subinacl....

So this is my remaining worry.
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 17013851
Otherwise you wouldn't have seen the error message.
To be completely sure the script uses the subinacl.exe in the folder it's in, you can use this:
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=Everyone=S
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=Everyone=C

%~dp0 will expand to the *d*rive and *p*ath of parameter *0* (the script itself), so this will force the use of subinacl.exe in the script's folder.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17013952
>Otherwise you wouldn't have seen the error message.

Yes I would because the word subinacl appears in the text of the script, so it would be as if I had typed it at the command prompt.

Thanks for the %~dp0 tip. I'll try it tomorrow.
0
 
LVL 84

Expert Comment

by:oBdA
ID: 17014006
Don't forget the quotation marks around the command; there might be spaces in the path.
You can find more about the %~-construction using "help for" in a command window.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17016547
Just a quick question.

The managed Group Policies, Screen Saver, Screen Saver Executable Name, Screen Saver Timeout - is it best to put these on computer OUs rather than User OUs?
0
 
LVL 84

Expert Comment

by:oBdA
ID: 17016626
That won't help you any on the computer OUs -- this is a "User Configuration" setting and will only apply to user objects.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17016783
Thanks. And I guess the same applies to the unmanaged policy for winexit configuration, based on the template above? User only?

How does one know which policies csan be applied to computers, and which can be applied to users?
0
 
LVL 84

Expert Comment

by:oBdA
ID: 17016933
Just look at where you find the setting in the GP editor: in Computer Configuration or in User Configuration.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17016968
Well, it seems to be half working.

I tested it on a workstation, logging in as a user. After the timeout period, the error message came up, but when I clicked "OK" on the error message dialogue box, the screensaver ran as it should, and was correctly configured, which shows that the .adm file worked. It seems like it's still a permissions issue, that the permissions are still not being set.

I looked in the registry on this machine:

Everyone has been added, and has the permission to create subkeys, but, the permission to SET subkeys is not checked, so this part of the subinacl command (/grant=everyone=S) is not being applied for some unkonw reason. Perhaps it's language again? Perhaps the S PACE should be something else? I've been through everything with a fine toothed comb and can't for the life of me see any syntax errors or the like.

Below is copy of the script I'm running (the word "everyone" ihas been replaced by the Swedish "alla".

"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=alla=S
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=alla=C

:if exist "c:\WINDOWS\system32\winexit.scr" goto yes

copy \\aspmal01\Screensaver$\winexit.scr c:\WINDOWS\system32

:yes
0
 
LVL 11

Author Comment

by:Jason210
ID: 17017055
OK, I logged the script.

It seems that to apply a PACE, it first deletes whatever is there. It does this and sets the PACE to S

For the second line of the script, it deletes the previous PACE (S) and the applies the new PACE (C)

So we're left with just a C.

This is my reasoning, but this is all new to me so I might be wrong.

0
 
LVL 11

Author Comment

by:Jason210
ID: 17017056
I'm looking if there's a way to apply both C and S in one go.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17017068
It look like it can be done in one line with SC

"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=alla=SC

I need to test - I'll let you know.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17017234
Yes, It worked.

The premissions have been correctly set and the users are now being logged off automatically after the timeout

Thanks a lot oBdA, you've been a tremendous help!
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question