Changing Registry Permissions with SubInACL.exe - Part 2
I thought I had this solve but it's not solved:
We have a system with a Windows 2003 server, and about 40 workstations and 100 users. The users use the workstations, and change around a lot. Sometimes they forget to log off. So winexit.scr is going to be the solution to that. Winexit.scr has been deployed, and the appropriate GPs to utilise it have been enabled and configured. There remains the problem registry key permissions issue for each user. Apparently the winexit.scr screen saver only works for administrators.
http://support.microsoft.com/?kbid=156677
I need to go in and change the registry subkey permissions, so it works for users. Manually, this is a no-goer, so I've been trying to do it with subinacl.exe
Firslty, I need to know, does subinacl need to be install / present on the local machine? If so where do I need to put it so that it will work with a startup script? Currently, the script and the subinacl.exe file are on a server share.
Secondly, is this syntax ok?
subinacl /subkeyreg "HKEY_Local_Machine\Softwa
subinacl /subkeyreg "HKEY_Local_Machine\Softwa
I've tested it with the pause function, and I notice there is a syntax error and a report that "The System cannot find the file specified", although it says under "done" that something has been modified.
Thirdly, what happens if the clients use Swedish version of windows? I think that the "everyone" needs to be in the local language, does it not?
We have a system with a Windows 2003 server, and about 40 workstations and 100 users. The users use the workstations, and change around a lot. Sometimes they forget to log off. So winexit.scr is going to be the solution to that. Winexit.scr has been deployed, and the appropriate GPs to utilise it have been enabled and configured. There remains the problem registry key permissions issue for each user. Apparently the winexit.scr screen saver only works for administrators.
http://support.microsoft.com/?kbid=156677
I need to go in and change the registry subkey permissions, so it works for users. Manually, this is a no-goer, so I've been trying to do it with subinacl.exe
Firslty, I need to know, does subinacl need to be install / present on the local machine? If so where do I need to put it so that it will work with a startup script? Currently, the script and the subinacl.exe file are on a server share.
Secondly, is this syntax ok?
subinacl /subkeyreg "HKEY_Local_Machine\Softwa
subinacl /subkeyreg "HKEY_Local_Machine\Softwa
I've tested it with the pause function, and I notice there is a syntax error and a report that "The System cannot find the file specified", although it says under "done" that something has been modified.
Thirdly, what happens if the clients use Swedish version of windows? I think that the "everyone" needs to be in the local language, does it not?
ASKER
Thanks - so there's still hope then. I'll give it a go tomorrow when I'm back at work. Plan B was to make the changes manually - something I was dreading.
The Swedish equivalnet is "Alla" btw.
The Swedish equivalnet is "Alla" btw.
ASKER
>If they're in the same share, it's fine
You're 100% sure?
I did a test on a workstation by browsing to the share, that contained both the script and the subinacl.exe, and executed the script by double-clicking on it. I had already put a pause in at the end of the script, to check for errors. You know what? It said that it didn't recognise the command subinacl....
So this is my remaining worry.
You're 100% sure?
I did a test on a workstation by browsing to the share, that contained both the script and the subinacl.exe, and executed the script by double-clicking on it. I had already put a pause in at the end of the script, to check for errors. You know what? It said that it didn't recognise the command subinacl....
So this is my remaining worry.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>Otherwise you wouldn't have seen the error message.
Yes I would because the word subinacl appears in the text of the script, so it would be as if I had typed it at the command prompt.
Thanks for the %~dp0 tip. I'll try it tomorrow.
Yes I would because the word subinacl appears in the text of the script, so it would be as if I had typed it at the command prompt.
Thanks for the %~dp0 tip. I'll try it tomorrow.
Don't forget the quotation marks around the command; there might be spaces in the path.
You can find more about the %~-construction using "help for" in a command window.
You can find more about the %~-construction using "help for" in a command window.
ASKER
Just a quick question.
The managed Group Policies, Screen Saver, Screen Saver Executable Name, Screen Saver Timeout - is it best to put these on computer OUs rather than User OUs?
The managed Group Policies, Screen Saver, Screen Saver Executable Name, Screen Saver Timeout - is it best to put these on computer OUs rather than User OUs?
That won't help you any on the computer OUs -- this is a "User Configuration" setting and will only apply to user objects.
ASKER
Thanks. And I guess the same applies to the unmanaged policy for winexit configuration, based on the template above? User only?
How does one know which policies csan be applied to computers, and which can be applied to users?
How does one know which policies csan be applied to computers, and which can be applied to users?
Just look at where you find the setting in the GP editor: in Computer Configuration or in User Configuration.
ASKER
Well, it seems to be half working.
I tested it on a workstation, logging in as a user. After the timeout period, the error message came up, but when I clicked "OK" on the error message dialogue box, the screensaver ran as it should, and was correctly configured, which shows that the .adm file worked. It seems like it's still a permissions issue, that the permissions are still not being set.
I looked in the registry on this machine:
Everyone has been added, and has the permission to create subkeys, but, the permission to SET subkeys is not checked, so this part of the subinacl command (/grant=everyone=S) is not being applied for some unkonw reason. Perhaps it's language again? Perhaps the S PACE should be something else? I've been through everything with a fine toothed comb and can't for the life of me see any syntax errors or the like.
Below is copy of the script I'm running (the word "everyone" ihas been replaced by the Swedish "alla".
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Softwa
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Softwa
:if exist "c:\WINDOWS\system32\winex
copy \\aspmal01\Screensaver$\wi
:yes
I tested it on a workstation, logging in as a user. After the timeout period, the error message came up, but when I clicked "OK" on the error message dialogue box, the screensaver ran as it should, and was correctly configured, which shows that the .adm file worked. It seems like it's still a permissions issue, that the permissions are still not being set.
I looked in the registry on this machine:
Everyone has been added, and has the permission to create subkeys, but, the permission to SET subkeys is not checked, so this part of the subinacl command (/grant=everyone=S) is not being applied for some unkonw reason. Perhaps it's language again? Perhaps the S PACE should be something else? I've been through everything with a fine toothed comb and can't for the life of me see any syntax errors or the like.
Below is copy of the script I'm running (the word "everyone" ihas been replaced by the Swedish "alla".
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Softwa
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Softwa
:if exist "c:\WINDOWS\system32\winex
copy \\aspmal01\Screensaver$\wi
:yes
ASKER
OK, I logged the script.
It seems that to apply a PACE, it first deletes whatever is there. It does this and sets the PACE to S
For the second line of the script, it deletes the previous PACE (S) and the applies the new PACE (C)
So we're left with just a C.
This is my reasoning, but this is all new to me so I might be wrong.
It seems that to apply a PACE, it first deletes whatever is there. It does this and sets the PACE to S
For the second line of the script, it deletes the previous PACE (S) and the applies the new PACE (C)
So we're left with just a C.
This is my reasoning, but this is all new to me so I might be wrong.
ASKER
I'm looking if there's a way to apply both C and S in one go.
ASKER
It look like it can be done in one line with SC
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Softwa
I need to test - I'll let you know.
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Softwa
I need to test - I'll let you know.
ASKER
Yes, It worked.
The premissions have been correctly set and the users are now being logged off automatically after the timeout
Thanks a lot oBdA, you've been a tremendous help!
The premissions have been correctly set and the users are now being logged off automatically after the timeout
Thanks a lot oBdA, you've been a tremendous help!
The error is due to a typo in the KB article; the correct path is ...\IniFileMapping\..., without "s" at the end.
subinacl /subkeyreg "HKEY_Local_Machine\Softwa
subinacl /subkeyreg "HKEY_Local_Machine\Softwa
If you're using a Swedish version, then you indeed need to replace the Everyone with its Swedish equivalent (whatever that might be ...).