Solved

Changing Registry Permissions with SubInACL.exe - Part 2

Posted on 2006-06-29
15
2,331 Views
Last Modified: 2010-05-26
I thought I had this solve but it's not solved:

We have a system with a Windows 2003 server, and about 40 workstations and 100 users. The users use the workstations, and change around a lot. Sometimes they forget to log off. So winexit.scr is going to be the solution to that. Winexit.scr has been deployed, and the appropriate GPs to utilise it have been enabled and configured. There remains the problem registry key permissions issue for each user. Apparently the winexit.scr screen saver only works for administrators.

http://support.microsoft.com/?kbid=156677

I need to go in and change the registry subkey permissions, so it works for users. Manually, this is a no-goer, so I've been trying to do it with subinacl.exe

Firslty, I need to know, does subinacl need to be install / present on the local machine? If so where do I need to put it so that it will work with a startup script? Currently, the script and the subinacl.exe file are on a server share.

Secondly, is this syntax ok?

subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=S
subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMappings\Control.ini" /grant=Everyone=C

I've tested it with the pause function, and I notice there is a syntax error and a report that "The System cannot find the file specified", although it says under "done" that something has been modified.

Thirdly, what happens if the clients use Swedish version of windows? I think that the "everyone" needs to be in the local language, does it not?
0
Comment
Question by:Jason210
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
15 Comments
 
LVL 85

Expert Comment

by:oBdA
ID: 17012858
If they're in the same share, it's fine.
The error is due to a typo in the KB article; the correct path is ...\IniFileMapping\..., without "s" at the end.
subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=Everyone=S
subinacl /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=Everyone=C

If you're using a Swedish version, then you indeed need to replace the Everyone with its Swedish equivalent (whatever that might be ...).
0
 
LVL 11

Author Comment

by:Jason210
ID: 17013606
Thanks - so there's still hope then. I'll give it a go tomorrow when I'm back at work. Plan B was to make the changes manually - something I was dreading.

The Swedish equivalnet is  "Alla" btw.



0
 
LVL 11

Author Comment

by:Jason210
ID: 17013653
>If they're in the same share, it's fine

You're 100% sure?

I did a test on a workstation by browsing to the share, that contained both the script and the subinacl.exe, and executed the script by double-clicking on it. I had already put a pause in at the end of the script, to check for errors. You know what? It said that it didn't recognise the command subinacl....

So this is my remaining worry.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 85

Accepted Solution

by:
oBdA earned 500 total points
ID: 17013851
Otherwise you wouldn't have seen the error message.
To be completely sure the script uses the subinacl.exe in the folder it's in, you can use this:
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=Everyone=S
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=Everyone=C

%~dp0 will expand to the *d*rive and *p*ath of parameter *0* (the script itself), so this will force the use of subinacl.exe in the script's folder.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17013952
>Otherwise you wouldn't have seen the error message.

Yes I would because the word subinacl appears in the text of the script, so it would be as if I had typed it at the command prompt.

Thanks for the %~dp0 tip. I'll try it tomorrow.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 17014006
Don't forget the quotation marks around the command; there might be spaces in the path.
You can find more about the %~-construction using "help for" in a command window.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17016547
Just a quick question.

The managed Group Policies, Screen Saver, Screen Saver Executable Name, Screen Saver Timeout - is it best to put these on computer OUs rather than User OUs?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 17016626
That won't help you any on the computer OUs -- this is a "User Configuration" setting and will only apply to user objects.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17016783
Thanks. And I guess the same applies to the unmanaged policy for winexit configuration, based on the template above? User only?

How does one know which policies csan be applied to computers, and which can be applied to users?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 17016933
Just look at where you find the setting in the GP editor: in Computer Configuration or in User Configuration.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17016968
Well, it seems to be half working.

I tested it on a workstation, logging in as a user. After the timeout period, the error message came up, but when I clicked "OK" on the error message dialogue box, the screensaver ran as it should, and was correctly configured, which shows that the .adm file worked. It seems like it's still a permissions issue, that the permissions are still not being set.

I looked in the registry on this machine:

Everyone has been added, and has the permission to create subkeys, but, the permission to SET subkeys is not checked, so this part of the subinacl command (/grant=everyone=S) is not being applied for some unkonw reason. Perhaps it's language again? Perhaps the S PACE should be something else? I've been through everything with a fine toothed comb and can't for the life of me see any syntax errors or the like.

Below is copy of the script I'm running (the word "everyone" ihas been replaced by the Swedish "alla".

"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=alla=S
"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=alla=C

:if exist "c:\WINDOWS\system32\winexit.scr" goto yes

copy \\aspmal01\Screensaver$\winexit.scr c:\WINDOWS\system32

:yes
0
 
LVL 11

Author Comment

by:Jason210
ID: 17017055
OK, I logged the script.

It seems that to apply a PACE, it first deletes whatever is there. It does this and sets the PACE to S

For the second line of the script, it deletes the previous PACE (S) and the applies the new PACE (C)

So we're left with just a C.

This is my reasoning, but this is all new to me so I might be wrong.

0
 
LVL 11

Author Comment

by:Jason210
ID: 17017056
I'm looking if there's a way to apply both C and S in one go.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17017068
It look like it can be done in one line with SC

"%~dp0subinacl.exe" /subkeyreg "HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Control.ini" /grant=alla=SC

I need to test - I'll let you know.
0
 
LVL 11

Author Comment

by:Jason210
ID: 17017234
Yes, It worked.

The premissions have been correctly set and the users are now being logged off automatically after the timeout

Thanks a lot oBdA, you've been a tremendous help!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question