Registry command line help!

[prey]

Hello folks! I have a situation where I really need some sort of command line tool to edit permissions on existing registry keys.

The reason for it having to be a command line tool, instead of just editing the registry manually, is because I have some 150 machines that needs this change done…

I’ve been searching around for ways to do it with REGEDT32, but I cant seem to control ACL’s with that tool

I found a tool for Win 2000 that actually seems like it could do the job; called REGINI, but I cannot get it to run on my Win XP machines.

So here is what I need:

I need to edit the ACL of two registry keys, allowing “everyone” FULL CONTROL.

Right now they can only READ, so my normal users cannot edit the keys.

I don’t want to give the normal users Administrative rights, as it too much of a risk in my situation.

Please help if you know how to go about this.

Kind Regards.

Martin Andersen

Edited August 19, 2005 by prey

[jabab]

Did you find this

http://www.google.co.uk/url?sa=t&ct=res&cd..._-6JpXoQeL83LYO

You could make a script to do it, put it on a server, and make it run in a login script.

[chilifrei64]

I am only assuming here...

With 150 machines i would assume you maybe have a domain controller and with that being said you could deploy these permissions via group policy very easily.

This assumes you:

1) Have a domain

2) Have all Windows 2000/XP/2003 Machines

3) No Win9x/ME machines

[prey]

Hello again folks!

I know I should have gotten back to you on this a bit earlier, but anyways..

I DID solve the problem using Windows XP own command line tool.

Silly I did not realize that with Windows XP comes a version of REGINI, which does the job with no problem.

To answer chilifrei64:

No – surprisingly there is no domain ( this is about to change though ) I have been at this new job for only 3 week, and part of my future project is to consolidate the infrastructure, and set up a central Directory service – in this case we will be using Novell Netware and ZEN.

Yes – All workstations are running Win XP ( I had to do some running around at my first week here to clean out the remaining Win 9x & Win2K

Now the reason for the hurried solution was that I needed a class of students to run a certain program, which required the students to have “read/write/change” permissions to tw0 registry keys (and all sub keys of those two)

Along side this I needed to give permissions specific directories and files, and thus the solution got to look like this (two files)

DanK.cmf:

%systemdrive%

REGINI [sERVER SHARE]\dankost.sct

ECHO Y| CACLS "C:\Program Files\Common Files\Borland Shared" /E /G Users:F

ECHO Y| CACLS "C:\Program Files\Common Files\Borland Shared\*.*" /E /G Users:F

ECHO Y| CACLS "C:\Program Files\Dansk Catering Center\DK3000\Data" /E /G Users:F

ECHO Y| CACLS "C:\Program Files\Dansk Catering Center\DK3000\Data\*.*" /E /G Users:F

ECHO Y| CACLS "C:\PROGRA~1\DANSKC~1\DK3000\Data\Net" /E /G Users:F

ECHO Y| CACLS "C:\PROGRA~1\DANSKC~1\DK3000\Data\Net\*.*" /E /G Users:F

ECHO Y| CACLS C:\TEMP\DKPrv /E /G Users:F

ECHO Y| CACLS C:\TEMP\DKPrv\*.* /E /G Users:F

ECHO Y| CACLS C:\PDOXUSRS.NET /E /G Users:F

Pause

DANKOST.SCT:

\Registry\Machine\Software\Borland [1 5 7]\Registry\Machine\Software\Borland\BLW32 [1 5 7] 

\Registry\Machine\Software\Borland\Database Engine [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\ [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\DB2 [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\DB2\DB OPEN [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\DB2\INIT [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\DBASE [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\DBASE\DB OPEN [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\DBASE\INIT [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\FOXPRO [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\FOXPRO\DB OPEN [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\FOXPRO\INIT [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\INFORMIX [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\INFORMIX\DB OPEN [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\INFORMIX\INIT [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\INTBASE [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\INTBASE\DB OPEN [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\INTBASE\INIT [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\MSACCESS [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\MSACCESS\DB OPEN [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\MSACCESS\INIT [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\MSSQL [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\MSSQL\DB OPEN [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\MSSQL\INIT [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\ORACLE [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\ORACLE\DB OPEN [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\ORACLE\INIT [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\PARADOX [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\PARADOX\DB OPEN [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\PARADOX\INIT [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYBASE [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYBASE\DB OPEN [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYBASE\INIT [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\REPOSITORIES [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYSTEM [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYSTEM\FORMATS [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYSTEM\FORMATS\DATE [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYSTEM\FORMATS\NUMBER [1 5 7]

\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYSTEM\INIT [1 5 7]

\Registry\Machine\Software\Borland\InterBase [1 5 7]

\Registry\Machine\Software\Borland\InterBase\CurrentVersion [1 5 7]

\Registry\Machine\Software\Dansk Catering Center [1 5 7]

\Registry\Machine\Software\Dansk Catering Center\Dankost 3000 [1 5 7]

\Registry\Machine\Software\Dansk Catering Center\Dankost 3000\3000.20.17.2014 [1 5 7]

\Registry\Machine\Software\Dansk Catering Center\DK3000 [1 5 7]

Thanks for your help anyway!

Kind Regards.

Martin Andersen

[Martin Zugec]

Command for advanced ACL setting is SubInAcl. You can also control ACL for services etc.

[prey]

Hey Zugec!

How do you use that command? My XP installation isn’t responding properly to that line...?

Kind Regards.

Martin Andersen

[Martin Zugec]

It is from Resource Kit (available for free from www.microsoft.com)

[Martin Zugec]

It is really powerfull tool:

SubInAcl version 

USAGE
-----

Usage  : SubInAcl [/view_mode] [/test_mode] [/output=FileName] /object_type object_name
                  [/action[=parameter] [/action[=parameter]]...

 /view_mode   : 
    /noverbose                            /verbose (default=/verbose=2)
    /verbose=1                            /verbose=2
 /test_mode   :
    /notestmode (default=/notestmode)     /testmode
 /object_type :
    /service            /keyreg             /subkeyreg
    /file               /subdirectories     /share
    /clustershare       /kernelobject       /metabase
    /printer            /onlyfile
 /action      :
    /display(default)
    /setowner=owner
    /replace=[DomainName\]OldAccount=[DomainName\]New_Account
    /changedomain=OldDomainName=NewDomainName
    /migratetodomain=SourceDomain=DestDomain
    /findsid=[DomainName\]Account[=stop]
    /suppresssid=[DomainName\]Account
    /confirm
    /ifchangecontinue
    /cleandeletedsidsfrom=DomainName
    /testmode
    /accesscheck=[DomainName\]Username
    /setprimarygroup=[DomainName\]Group
    /grant=[DomainName\]Username[=Access]
    /deny=[DomainName\]Username[=Access]
    /revoke=[DomainName\]Username

Usage  : SubInAcl   [/view_mode] /playfile file_name

Usage  : SubInAcl   /help [keyword]
         SubInacl   /help /full
    keyword can be :
    features  usage syntax sids  view_mode test_mode object_type
    domain_migration substitution_features editing_features
  - or -
    any [/action] [/object_type]


SYNTAX
------

The SubInAcl syntax is analog to the UNIX find tool.
For each object, SubInAcl :
    1. retrieves the security descriptor of the object
    2. applies the /action(s). The /actions are executed in the order of
       the command line
    3. If :
       - the security descriptor has been modified and
       - the /testmode switch has not been specified
       the changes are applied to the object
    For instance :
       - SubInAcl /output=result.txt /subdirectories \\Server\c$\temp\*.*
                  /grant=Dom\John=F /noverbose /display
         For each file below \\Server\c$\temp, SubInAcl will
         - open the file
    - grant full control for dom\john
         - display the security setting in noverbose mode
         - save the security descriptor.
         All outputs will be saved in result.txt

You can specify as many /actions as you wish. You must specify at least 3
characters for each action.
The command line is not case-sensitive

Ex: SubInAcl /file c:\temp\*.txt /replace=John=Smith /display
    for each *.txt file will - replace John with Smith
                             - display the whole security descriptor
                             - apply the changes if any

SubInAcl error messages are sent to the Standard error.
You can use the /output switch to save both outputs
and errors in the same file.


FEATURES
--------

SubInAcl was designed to help administrators to manage security on
various objects.
It provides :
   - a unified way to manipulate security for different kinds of objects
     (files, registry keys, services, printer,...)
   - a console tool that allows to write scripts to automate
     security tasks
   - some features that help administrators to modify security if some
     changes occur in their organization:
         - user, group deletions (/suppresssid, /cleandeletedsidsfrom )
         - user, group migrations (/replace) 
         - domain migration (/changedomain, /migratetodomain) 
         ...
   - security descriptor editing features :
         - owner ( /setowner )
         - primary group ( /setprimarygroup )
         - permissions ( /grant , /deny , /revoke )
   - access to remote objects
   - save and restore permissions (/playfile , /output , /display )

You need SeBackupPrivilege SeRestorePrivilege
SeSecurityPrivilege SeTakeOwnershipPrivilege 
SeChangeNotifyPrivilege privileges (locally or remotely) to run this tool

Type SubInAcl /help to get extended help


SIDS
----

The security descriptor references a user,group,.. with a SID (Security
Identifier). An SID can be expressed in one of the following form :
         + DomainName\Account (ex: DOM\Administrators )
         + StandaloneServer\Group
         + Account ( see LookupAccount API )
         + s-1-x-x-x-x . x is expressed in decimal
           (ex: S-1-5-21-56248481-1302087933-1644394174-1001)
           Warning : In that case, no check is done to verify the existence
           of this SID.

SubInAcl maintains a local cache of SIDs to minimize SID to "Human Name"
translation network cost


VIEW_MODE
---------

SubInAcl can be used in a quiet mode (/noverbose) or a in 2 verbose modes
(/verbose , /verbose=1 )
You can specify these switches either :
  - for the entire comand line :
       SubInAcl /noverbose /file *.dat /display
  - after a specific action    :
        SubInacl /file *.dat /display /noverbose /display
The /verbose=1 mode may be used with /display to display perm. ACEs using
/grant or /deny notations.



TEST_MODE
---------

If /testmode is specified, the changes will not be reflected to the object
security descriptor. This option is usefull to test the validity of a comand.
Ex : SubInacl /subdirec \\server\share\*.* /changedomain=DOMA=DOMB
              /ifchangecontinue /noverbose /display /testmode
     For each file modified this comand displays the modified security
     descriptor. But these changes will not physically apply to the files



OBJECT_TYPE
-----------

SubInAcl can work with various objects:
 - Files         :
      /file
      /subdirectories
      /onlyfile
 - Registry keys :
      /keyreg
      /subkeyreg
 - Services      :
      /service
 - Shares        :
      /share
      /clustershare
 - Printer       :
      /printer
 - Kernel named objects :
      /kernel
 - IIS adminidstration rights :
      /metabase

The actions are valid for all objects
Most of them support the enumeration with the * character


DOMAIN_MIGRATION
----------------

The main purpose of SubInAcl is to help administrators to migrate user(s)
if the domain architecture has changed.
 For instance, the user John has
moved and is now member of the DOMB organization.
You can reflect this change with :
SubInAcl /subdirec \\server\share\*.* /replace=OldDomain\John=DOMB\John
N.B: A trust relationship must
 be enabled between the domain of server and
OldDomain and NEWDOMAIN

Sample :
  You have worked with a unique domain.
  You want to migrate a BDC named MIGRCONTROL with all the files and the
  users utilized on a new domain
  1. Reinstall the BDC as PDC to the NEWDOMAIN (without erasing the files)
  2. Create the users on NEWDOMAIN
  3. Create a "trusted relationship" with OLDDOMAIN
  4. Run SubInAcl /noverbose /subdirectories x:\*.*
                             /changedomain=OLDDOMAIN=NEWDOMAIN
  5. Verify the changes with SubInAcl /noverbose /subdirectories x:\*.*

 Sample :
  You have worked with a standalone server named SERVER in a workgroup
  environment. You want to move this server (including users) to a domain DOM.
  1. Move SERVER to the domain DOM
  2. Create the users in the DOM domain
  3. SubInAcl /noverbose /subdirectories \\server\share
              /changedomain=SERVER=DOM

 See /changedomain /migratedomain /replace actions


EDITING_FEATURES
----------------

SubInAcl allows to modify each part of a a security descriptor :
- owner
       see /owner=SID or /setowner=SID
- primary group
       see /setprimarygroup=GroupSID
- system ACL (SubInAcl name = Audit ACL) with Access Control Entries
   (SubInAcl name= AAce = Audit ACE)
	see /audit  /aace=xxx
- discretionnary ACL (SubInAcl name = Perm ACL ) with Access Control Entries
   (SubInAcl name= PAce = Perm ACE)
   see /perm   /pace=xxx  /revoke=SID /grant=SID=Access /deny=SID



/SERVICE
--------

manipulate service
- \\ServerName\Messenger
- Messenger


/KEYREG
-------

manipulate registry keys
- HKEY_CURRENT_USER\Software
- HKEY_CURRENT_USER\Software\*Version
- \\Srv\HKEY_LOCAL_MACHINE\KeyPath


/SUBKEYREG
----------

manipulate registry keys and subkeys
- HKEY_CURRENT_USER\Software
- HKEY_CURRENT_USER\Software\*Version
- \\Srv\HKEY_LOCAL_MACHINE\KeyPath


/FILE
-----

manipulate files
N.B: SubInAcl is not supported on DFS volumes
- *.obj
- c:\temp\*.obj
- \\servername\share\*.exe


/SUBDIRECTORIES
---------------

manipulate files in specified directory and all subdirectories
- c:\temp\*.obj     : work with all obj files
- c:\temp\test      : work with all test files under temp directory
- c:\temp\test\*.*  : work with all files  uner temp\test


/ONLYFILE
---------

open a file without using the FindFilexxx mechanism.
Can be used to access named pipes or mailslot
- \\.\pipe\pipename


/SHARE
------

access a network file share.
- \\server\share


/CLUSTERSHARE
-------------

access a cluster file share resource.
- \\clustername\FileShare_Resource_Name
- \\clustername\s*


/KERNELOBJECT
-------------

access a named kernel object.
Can be used to view mutex, sections, events objects


/METABASE 
----------

access to IIS metabase AdminACL metabase property
Note that this property can only be used with these Metabase paths
/LM/MSFTPSVC , /LM/MSFTPSVC/n , /LM/W3SVC , /LM/W3SVC/
This object doesn't support enumeration.
 - SubInAcl /metabase \\ServerName\LM\W3SVC /grant=administrator=F



/DISPLAY
--------

display the security descriptor
The /noverbose display can be used to reapply the security descriptor
(see /playfile)


/PLAYFILE PLAYFILE.TXT
----------------------

- You can reapply security settings saved with with the /noverbose /display option
  1. save settings   : SubInAcl /output=c:\subinaclsave.txt /noverbose /display
  2. replay settings : SubInAcl /playfile c:\subinaclsave.txt
- The playfile.txt can contain any valid options and can be used to batch SubInAcl commands 
  playfile.txt :
     +subdirec *.txt
     /noverbose
   /grant=everyone=R
     +services RkillSrv
     /display


/OUTPUT
-------

/output=filename.txt
all outputs and errors will be send in the filename.txt


/OWNER
------

will change the owner of the object
/owner=SID
owner = DomainName\Administrators will retrieve the Administrators Sid on
the server where the object is (see Win32 SDK LookupAccountName function).


/REPLACE
--------

/replace=DomainName\OldAccount=DomainName\New_Account
    replace all ACEs (Audit and Permissions) in the object
    Ex: /replace=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan will replace
        all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID
        retrieves from NEWDOM domain


/CLEANDELETEDSIDSFROM
---------------------

/cleandeletedsidsfrom=DomainName
    delete all ACEs containing deleted (no valid) Sids from DomainName


/CHANGEDOMAIN
-------------

/changedomain=OldDomainName=NewDomainName
     replace all ACEs with a Sid from OldDomainName
     with the equivalent Sid found in NewSamServer
     Ex: /changedomain=DOM_MARKETING=NEWDOMAIN
     replace all ACEs containing DOM_MARKETING\ChairMan SID
     with the ChairMan's SID retrieved on NEWDOMAIN computer
     The NEWDOMAIN must have a trusted relationship with the server
     containing the object


/MIGRATETODOMAIN
----------------

/migratetodomain=FromDomainName=ToDomainName
     same behavior than /changedomain except that news ACEs will added instead
     of replacing
     Ex: /migratetodomain=DOM1=DOM2
     each ace with DOM1\User will be duplicated with DOM2\User
     (If DOM2\User exists)
     If during the migration there was a serious oversight
     you can instruct the user to log back onto DOM1.
     N.B: Owner and Primary Group are migrated to DOM2


/FINDSID
--------

/findsid=DomainName\Account[=stop]
     display the object name containing a reference to DomainName\Account
     in the security descriptor


/SUPPRESSSID
------------

/suppresssid=DomainName\Account
     suppress all ACES containing the DomainName\Account SID.
     If the object's owner is DomainName\Account, the owner is set to
     Everyone's SID.


/PERM
-----

/perm
     suppress all existing permissions aces (PACEs)


/AUDIT
------

/audit
     suppress all existing auditing aces (AACEs)


/IFCHANGECONTINUE
-----------------

/ifchangecontinue
     continue to process the next actions only if some changes have been
     made in the previous actions


/TESTMODE
---------

/testmode
     changes will not be applied to the object. This allows to test the
     modifications


/ACCESSCHECK
------------

/accesscheck=Domain\Username
     display the access granted to the Domain\Username. The password will
     be asked. This option requires the SeTcbName privilege (Act as Part
     of the Operating System). This option cannot be used with remote object.
     Note : the access is checked with the NETWORK security identified
     granted to the Domain\UserName


/SETPRIMARYGROUP
----------------

/setprimarygroup=[DomainName\]Group
     change the primary group


/DENY
-----

/deny=[DomainName\]User[=Access]=
     add a  denied Permission Ace for the specified User (or group)
   If Access is not specified, all accesses will be denied.

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service 
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC


/REVOKE
-------

/revoke=[DomainName\]User
     suppress all Permission Ace(s) for the specified User (or group)


/GRANT
------

/grant=[DomainName\]User[=Access]
     will add a Permission Ace for the user.
     if Access is not specified, the Full Control access will be granted.

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service 
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

[prey]

Looks nice indeed!

But in this particular case I needed and out-of-the-box solution.

But I will keep this tool in mind for its many other uses.

Kind Regards.

Martin Andersen

[Martin Zugec]

You can of course use my technique (store command on DC and call them from clients).

Yep, it is really great tool, however quite hard for normal administrators...

I discovered it when I needed to grant permission for one user to restart one specified service (of course without giving him server admin permissions)

[Shamwari]

Thanks for the information about this tool Martin Zugec- it is the first time I have heard of it- just wish I had known about this before!

[Martin Zugec]

We all are learning all the time I was glad I could help