Solved

Help with AD Login script

Posted on 2008-06-20
4
391 Views
Last Modified: 2010-04-21
Im having a little trouble getting a login script working.  What I need to do is allow read/write access to the following Touchstar registry key and its child keys

[HKEY_LOCAL_MACHINE\SOFTWARE\TRG\TSAgent]

Do you any of you guys have a script or software that will allow this?  Here is my current login script that im working off.


;Maps E: to Proteldata share for Pinnacle

net use e: \\ordentry\pi-2000

;Sets user desktop to deafult values upon login
rmdir /s /q "%userprofile%\desktop"

mkdir "%userprofile%\desktop"

;Runs batch job to clear Pinnacle cache directory
\\ansa_nas\admin\it\dave\util\lsrunas /user:batch_run /password:xxxxxxxxx /domain:abc123.local /command:\\192.168.25.42\admin\it\dave\util\Del_cache.bat /runpath:c:\

;Add read/write permissions to registry key for Touchstar users  (part of the script that keeps failing)
cd "D:\Program Files\Support Tools"

setacl -on "hklm\software\microsoft\" -ot reg -actn ace -ace n:%computername%\everyone;p:full

;Copies folder to users desktop with utilites needed to take calls
xcopy \\192.168.25.42\admin\Pinnacle_Inbound "%userprofile%\desktop\Pinnacle_Inbound" /I /Y

;Pause is included for testing.  It will be removed once the login script is finalized
pause
0
Comment
Question by:DGCREST
  • 2
4 Comments
 
LVL 13

Accepted Solution

by:
TheCapedPlodder earned 500 total points
Comment Utility
The only way I know of how to do this is using regini from the Windows Server Support Tools.

You would place regini.exe in a suitable location accessible to all machines (e.g. Netlogon).

You would then create a text file the reg key in and the necessary ACL e.g.:

\Registry\hive\key [permissions]

The permissions can be as follows:

1  - Administrators Full Access
2  - Administrators Read Access
3  - Administrators Read and Write Access
4  - Administrators Read, Write and Delete Access
5  - Creator Full Access
6  - Creator Read and Write Access
7  - World Full Access
8  - World Read Access
9  - World Read and Write Access
10 - World Read, Write and Delete Access
11 - Power Users Full Access
12 - Power Users Read and Write Access
13 - Power Users Read, Write and Delete Access
14 - System Operators Full Access
15 - System Operators Read and Write Access
16 - System Operators Read, Write and Delete Access
17 - System Full Access
18 - System Read and Write Access
19 - System Read Access
20 - Administrators Read, Write and Execute Access
21 - Interactive User Full Access
22 - Interactive User Read and Write Access
23 - Interactive User Read, Write and Delete Access

Once you have your text file you would run:

regini textfilename.txt

Full syntax is available from regini.exe /?

Also see the following MS article:

http://support.microsoft.com/kb/245031

Cheers,

TCP
0
 
LVL 2

Expert Comment

by:cagada
Comment Utility
You can use subinacl.exe
(http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en)

The syntax can be a bit confusing - but you can use the following /KEYREG and /SUBKEYREG as the object type and the actions can be /grant /deny.

use 'subinacl.exe /help /full' to get all the documantion.  You may need to dump that into a text file ' >sub.txt'

0
 

Author Closing Comment

by:DGCREST
Comment Utility
Thanks, I will give this a try, I looks like it will resolve my issue. I will let you know my results.
Thx
0
 
LVL 2

Expert Comment

by:cagada
Comment Utility
In reading further into your question, you will probably have difficulties running this in a user login script.  A user will need to have permissions to apply the permissions.  So, if the user already has permissions...

You can run this as a computer startup script where it runs as local system.  But better yet, if you have Active Directory, you can use Group Policy to set permissions on registry keys.
\Computer Configuration\Windows Settings\Security Settings\Registry

Using group policy - you can probably save some time.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Failed 2008r2 6 80
How to transfer FSMO roles 2 40
Task with PowerShell Script is failing with 0x41301 7 34
IT Contract Fee 17 38
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now