Solved

I need to deploy rights to hkcu/software/classes

Posted on 2009-05-04
9
1,093 Views
Last Modified: 2013-12-12
In our environment we use a kiosk style machine that automatically logs in as a local user account.  I realized when trying to deploy a java app recently that this user somehow does not have rights to hkcu/software/classes.  After trying a couple of different solutions I decided SUBINACL.exe would be the best bet to resolve this.  Unfortunately when I run Subinacl on HKCU (I run it as a local administrator or system with the problem account logged in)it skips over the CLASSES key.  The only way I can make it work is to make the problem account a local administrator and then run subinacl.  I've also tried the SETACL.EXE command with similar outcomes.  Does anybody have a better way to do this?
0
Comment
Question by:bigas_crane
  • 5
  • 3
9 Comments
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 24298641
Each user that logs into the local machine has their own HKCU hive, could you be running into an issue where the user account you're using to install the software is not the local user you've setup for the kiosk?  

If you login as a local admin and then run subinacl, you'd be running it on the admins HKCU and not on the local users HKCU.
0
 

Author Comment

by:bigas_crane
ID: 24298845
I understand this, that's why I'm using a scheduled task to run a subinacl batch file as the SYSTEM account while the local kiosk user is logged in (Just for test purposes for now, later I'll use deployment software to deploy the batch file across the enterprise).  I just don't understand why it keeps skipping over the one key I acutally want to change.  If I poing SUBINACL directly at hkcu/software/classes, it doesn't even recognize that it's there.
0
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 24298941
If you're running the tool as SYSTEM then you're using SYSTEM's registry hives which may not have a CLASSES key.  Getting back to your original question, have you verified manually (loading up regedit.exe and testing) that your local account doesn't have access to CLASSES?  By default, a local user would have full access to their own HKCU.  You might be digging too deep on a problem that could be solved more easily.
0
 

Author Comment

by:bigas_crane
ID: 24298985
I have checked the permissions manually and verified that the kiosk user doesn't have access to the key.  It looks like the user account lost permissions when the image was sysprepped as there is a ghost SID in the permissions table.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 13

Expert Comment

by:usachrisk1983
ID: 24299056
Do you need to make this change for this one kiosk, or are you trying to engineer a solution for a whole bunch of kiosks?  If you need to fix just this one, here's what you do.

1. Reboot the Computer
2. Login as Local Admin
3. Drop to Command Prompt
4. Go to users profile folder (something like c:\documents and settings\kioskuser)
5. Type (no quotes): "reg load HKLM\_kiosk" ntuser.dat

Now, the kiosk users HKCU is loaded into your HKLM for you to modify.

6. Open the Registry Editor, browse to HKLM\_Kiosk\software\classes
7. Make appropriate security changes, close registry editor.
8. Return to command prompt
9. Type "reg unload HKLM\_Kiosk"

You've now changed the security on the kiosk user.
0
 

Author Comment

by:bigas_crane
ID: 24299177
No, I need to change this on 2000 computers.   Also, hkcu/software/classes is derived from the usrclass.dat hive, not ntuser.dat.
0
 
LVL 13

Accepted Solution

by:
usachrisk1983 earned 500 total points
ID: 24299247
You're right, classes is it's own dat and not part of ntuser.dat, I apologize.  So, you'll need to script a solution that loads usrclass.dat then made the change, unless usrclass.dat was already loaded (user is logged in), in which case you'd need to get at it through HKEY_USERS.  

Happy to help you through that if it's not something you're familiar with.
0
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 24299253
One other thing, is your java app being installed as an MSI?  If so, I wonder if elevating the privileges (through policy) for Windows Installer would alleviate the problem?  
0
 
LVL 29

Expert Comment

by:matrixnz
ID: 24324676
You could use something like AutoIT (Free Basic Scripting software), you can do a runas in interactive mode.  Basically exactly what you're doing with Scheduled Tasks but as a script.

Cheers


0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
This guide will walk you through the essential considerations and tech stack for building scalable websites. Know how to grow your business the smart way!
This video demonstrates basic masking and how to edit the mask to reveal the desired image.
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now