Solved

I need to deploy rights to hkcu/software/classes

Posted on 2009-05-04
9
1,097 Views
Last Modified: 2013-12-12
In our environment we use a kiosk style machine that automatically logs in as a local user account.  I realized when trying to deploy a java app recently that this user somehow does not have rights to hkcu/software/classes.  After trying a couple of different solutions I decided SUBINACL.exe would be the best bet to resolve this.  Unfortunately when I run Subinacl on HKCU (I run it as a local administrator or system with the problem account logged in)it skips over the CLASSES key.  The only way I can make it work is to make the problem account a local administrator and then run subinacl.  I've also tried the SETACL.EXE command with similar outcomes.  Does anybody have a better way to do this?
0
Comment
Question by:bigas_crane
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 24298641
Each user that logs into the local machine has their own HKCU hive, could you be running into an issue where the user account you're using to install the software is not the local user you've setup for the kiosk?  

If you login as a local admin and then run subinacl, you'd be running it on the admins HKCU and not on the local users HKCU.
0
 

Author Comment

by:bigas_crane
ID: 24298845
I understand this, that's why I'm using a scheduled task to run a subinacl batch file as the SYSTEM account while the local kiosk user is logged in (Just for test purposes for now, later I'll use deployment software to deploy the batch file across the enterprise).  I just don't understand why it keeps skipping over the one key I acutally want to change.  If I poing SUBINACL directly at hkcu/software/classes, it doesn't even recognize that it's there.
0
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 24298941
If you're running the tool as SYSTEM then you're using SYSTEM's registry hives which may not have a CLASSES key.  Getting back to your original question, have you verified manually (loading up regedit.exe and testing) that your local account doesn't have access to CLASSES?  By default, a local user would have full access to their own HKCU.  You might be digging too deep on a problem that could be solved more easily.
0
Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

 

Author Comment

by:bigas_crane
ID: 24298985
I have checked the permissions manually and verified that the kiosk user doesn't have access to the key.  It looks like the user account lost permissions when the image was sysprepped as there is a ghost SID in the permissions table.
0
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 24299056
Do you need to make this change for this one kiosk, or are you trying to engineer a solution for a whole bunch of kiosks?  If you need to fix just this one, here's what you do.

1. Reboot the Computer
2. Login as Local Admin
3. Drop to Command Prompt
4. Go to users profile folder (something like c:\documents and settings\kioskuser)
5. Type (no quotes): "reg load HKLM\_kiosk" ntuser.dat

Now, the kiosk users HKCU is loaded into your HKLM for you to modify.

6. Open the Registry Editor, browse to HKLM\_Kiosk\software\classes
7. Make appropriate security changes, close registry editor.
8. Return to command prompt
9. Type "reg unload HKLM\_Kiosk"

You've now changed the security on the kiosk user.
0
 

Author Comment

by:bigas_crane
ID: 24299177
No, I need to change this on 2000 computers.   Also, hkcu/software/classes is derived from the usrclass.dat hive, not ntuser.dat.
0
 
LVL 13

Accepted Solution

by:
usachrisk1983 earned 500 total points
ID: 24299247
You're right, classes is it's own dat and not part of ntuser.dat, I apologize.  So, you'll need to script a solution that loads usrclass.dat then made the change, unless usrclass.dat was already loaded (user is logged in), in which case you'd need to get at it through HKEY_USERS.  

Happy to help you through that if it's not something you're familiar with.
0
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 24299253
One other thing, is your java app being installed as an MSI?  If so, I wonder if elevating the privileges (through policy) for Windows Installer would alleviate the problem?  
0
 
LVL 29

Expert Comment

by:matrixnz
ID: 24324676
You could use something like AutoIT (Free Basic Scripting software), you can do a runas in interactive mode.  Basically exactly what you're doing with Scheduled Tasks but as a script.

Cheers


0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In our personal lives, we have well-designed consumer apps to delight us and make even the most complex transactions simple. Many enterprise applications, however, are a bit behind the times. For an enterprise app to be successful in today's tech wo…
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Viewers will learn how to use the Hootsuite Dashboard.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question