Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Help with AD Login script

Posted on 2008-06-20
4
Medium Priority
?
412 Views
Last Modified: 2010-04-21
Im having a little trouble getting a login script working.  What I need to do is allow read/write access to the following Touchstar registry key and its child keys

[HKEY_LOCAL_MACHINE\SOFTWARE\TRG\TSAgent]

Do you any of you guys have a script or software that will allow this?  Here is my current login script that im working off.


;Maps E: to Proteldata share for Pinnacle

net use e: \\ordentry\pi-2000

;Sets user desktop to deafult values upon login
rmdir /s /q "%userprofile%\desktop"

mkdir "%userprofile%\desktop"

;Runs batch job to clear Pinnacle cache directory
\\ansa_nas\admin\it\dave\util\lsrunas /user:batch_run /password:xxxxxxxxx /domain:abc123.local /command:\\192.168.25.42\admin\it\dave\util\Del_cache.bat /runpath:c:\

;Add read/write permissions to registry key for Touchstar users  (part of the script that keeps failing)
cd "D:\Program Files\Support Tools"

setacl -on "hklm\software\microsoft\" -ot reg -actn ace -ace n:%computername%\everyone;p:full

;Copies folder to users desktop with utilites needed to take calls
xcopy \\192.168.25.42\admin\Pinnacle_Inbound "%userprofile%\desktop\Pinnacle_Inbound" /I /Y

;Pause is included for testing.  It will be removed once the login script is finalized
pause
0
Comment
Question by:DGCREST
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 13

Accepted Solution

by:
TheCapedPlodder earned 2000 total points
ID: 21832188
The only way I know of how to do this is using regini from the Windows Server Support Tools.

You would place regini.exe in a suitable location accessible to all machines (e.g. Netlogon).

You would then create a text file the reg key in and the necessary ACL e.g.:

\Registry\hive\key [permissions]

The permissions can be as follows:

1  - Administrators Full Access
2  - Administrators Read Access
3  - Administrators Read and Write Access
4  - Administrators Read, Write and Delete Access
5  - Creator Full Access
6  - Creator Read and Write Access
7  - World Full Access
8  - World Read Access
9  - World Read and Write Access
10 - World Read, Write and Delete Access
11 - Power Users Full Access
12 - Power Users Read and Write Access
13 - Power Users Read, Write and Delete Access
14 - System Operators Full Access
15 - System Operators Read and Write Access
16 - System Operators Read, Write and Delete Access
17 - System Full Access
18 - System Read and Write Access
19 - System Read Access
20 - Administrators Read, Write and Execute Access
21 - Interactive User Full Access
22 - Interactive User Read and Write Access
23 - Interactive User Read, Write and Delete Access

Once you have your text file you would run:

regini textfilename.txt

Full syntax is available from regini.exe /?

Also see the following MS article:

http://support.microsoft.com/kb/245031

Cheers,

TCP
0
 
LVL 2

Expert Comment

by:cagada
ID: 21832431
You can use subinacl.exe
(http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en)

The syntax can be a bit confusing - but you can use the following /KEYREG and /SUBKEYREG as the object type and the actions can be /grant /deny.

use 'subinacl.exe /help /full' to get all the documantion.  You may need to dump that into a text file ' >sub.txt'

0
 

Author Closing Comment

by:DGCREST
ID: 31469138
Thanks, I will give this a try, I looks like it will resolve my issue. I will let you know my results.
Thx
0
 
LVL 2

Expert Comment

by:cagada
ID: 21832525
In reading further into your question, you will probably have difficulties running this in a user login script.  A user will need to have permissions to apply the permissions.  So, if the user already has permissions...

You can run this as a computer startup script where it runs as local system.  But better yet, if you have Active Directory, you can use Group Policy to set permissions on registry keys.
\Computer Configuration\Windows Settings\Security Settings\Registry

Using group policy - you can probably save some time.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question