Solved

Changing Registry Permissions with SubInACL.exe - Part 2

Posted on 2006-06-29
15
2,171 Views
Last Modified: 2010-05-26
I thought I had this solve but it's not solved:

We have a system with a Windows 2003 server, and about 40 workstations and 100 users. The users use the workstations, and change around a lot. Sometimes they forget to log off. So winexit.scr is going to be the solution to that. Winexit.scr has been deployed, and the appropriate GPs to utilise it have been enabled and configured. There remains the problem registry key permissions issue for each user. Apparently the winexit.scr screen saver only works for administrators.

http://support.microsoft.com/?kbid=156677

I need to go in and change the registry subkey permissions, so it works for users. Manually, this is a no-goer, so I've been trying to do it with subinacl.exe

Firslty, I need to know, does subinacl need to be install / present on the local machine? If so where do I need to put it so that it will work with a startup script? Currently, the script and the subinacl.exe file are on a server share.

Secondly, is this syntax ok?

subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=S
subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=C

I've tested it with the pause function, and I notice there is a syntax error and a report that "The System cannot find the file specified", although it says under "done" that something has been modified.

Thirdly, what happens if the clients use Swedish version of windows? I think that the "everyone" needs to be in the local language, does it not?
0
Comment
Question by:Jason210
  • 10
  • 5
15 Comments
 
LVL 83

Expert Comment

by:oBdA
ID: 17012858
If they're in the same share, it's fine.
The error is due to a typo in the KB article; the correct path is ...\IniFileMapping\..., without "s" at the end.
subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=Everyone=S
subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=Everyone=C

If you're using a Swedish version, then you indeed need to replace the Everyone with its Swedish equivalent (whatever that might be ...).
0
 
LVL 11

Author Comment

by:Jason210
ID: 17013606
Thanks - so there's still hope then. I'll give it a go tomorrow when I'm back at work. Plan B was to make the changes manually - something I was dreading.

The Swedish equivalnet is  "Alla" btw.



0
 
LVL 11

Author Comment

by:Jason210
ID: 17013653
>If they're in the same share, it's fine

You're 100% sure?

I did a test on a workstation by browsing to the share, that contained both the script and the subinacl.exe, and executed the script by double-clicking on it. I had already put a pause in at the end of the script, to check for errors. You know what? It said that it didn't recognise the command subinacl....

So this is my remaining worry.
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 17013851
Otherwise you wouldn't have seen the error message.
To be completely sure the script uses the subinacl.exe in the folder it's in, you can use this:
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=Everyone=S
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=Everyone=C

%~dp0 will expand to the *d*rive and *p*ath of parameter *0* (the script itself), so this will force the use of subinacl.exe in the script's folder.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17013952
>Otherwise you wouldn't have seen the error message.

Yes I would because the word subinacl appears in the text of the script, so it would be as if I had typed it at the command prompt.

Thanks for the %~dp0 tip. I'll try it tomorrow.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 17014006
Don't forget the quotation marks around the command; there might be spaces in the path.
You can find more about the %~-construction using "help for" in a command window.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17016547
Just a quick question.

The managed Group Policies, Screen Saver, Screen Saver Executable Name, Screen Saver Timeout - is it best to put these on computer OUs rather than User OUs?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 83

Expert Comment

by:oBdA
ID: 17016626
That won't help you any on the computer OUs -- this is a "User Configuration" setting and will only apply to user objects.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17016783
Thanks. And I guess the same applies to the unmanaged policy for winexit configuration, based on the template above? User only?

How does one know which policies csan be applied to computers, and which can be applied to users?
0
 
LVL 83

Expert Comment

by:oBdA
ID: 17016933
Just look at where you find the setting in the GP editor: in Computer Configuration or in User Configuration.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17016968
Well, it seems to be half working.

I tested it on a workstation, logging in as a user. After the timeout period, the error message came up, but when I clicked "OK" on the error message dialogue box, the screensaver ran as it should, and was correctly configured, which shows that the .adm file worked. It seems like it's still a permissions issue, that the permissions are still not being set.

I looked in the registry on this machine:

Everyone has been added, and has the permission to create subkeys, but, the permission to SET subkeys is not checked, so this part of the subinacl command (/grant=everyone=S) is not being applied for some unkonw reason. Perhaps it's language again? Perhaps the S PACE should be something else? I've been through everything with a fine toothed comb and can't for the life of me see any syntax errors or the like.

Below is copy of the script I'm running (the word "everyone" ihas been replaced by the Swedish "alla".

"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=alla=S
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=alla=C

:if exist "c:\WINDOWS\system32\winexit.scr" goto yes

copy \\aspmal01\Screensaver$\winexit.scr c:\WINDOWS\system32

:yes
0
 
LVL 11

Author Comment

by:Jason210
ID: 17017055
OK, I logged the script.

It seems that to apply a PACE, it first deletes whatever is there. It does this and sets the PACE to S

For the second line of the script, it deletes the previous PACE (S) and the applies the new PACE (C)

So we're left with just a C.

This is my reasoning, but this is all new to me so I might be wrong.

0
 
LVL 11

Author Comment

by:Jason210
ID: 17017056
I'm looking if there's a way to apply both C and S in one go.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17017068
It look like it can be done in one line with SC

"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=alla=SC

I need to test - I'll let you know.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17017234
Yes, It worked.

The premissions have been correctly set and the users are now being logged off automatically after the timeout

Thanks a lot oBdA, you've been a tremendous help!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now