prey Posted August 19, 2005 Share Posted August 19, 2005 (edited) Hello folks! I have a situation where I really need some sort of command line tool to edit permissions on existing registry keys.The reason for it having to be a command line tool, instead of just editing the registry manually, is because I have some 150 machines that needs this change done…I’ve been searching around for ways to do it with REGEDT32, but I cant seem to control ACL’s with that toolI found a tool for Win 2000 that actually seems like it could do the job; called REGINI, but I cannot get it to run on my Win XP machines.So here is what I need:I need to edit the ACL of two registry keys, allowing “everyone” FULL CONTROL.Right now they can only READ, so my normal users cannot edit the keys.I don’t want to give the normal users Administrative rights, as it too much of a risk in my situation.Please help if you know how to go about this.Kind Regards.Martin Andersen Edited August 19, 2005 by prey Link to comment Share on other sites More sharing options...
jabab Posted August 19, 2005 Share Posted August 19, 2005 Did you find this http://www.google.co.uk/url?sa=t&ct=res&cd..._-6JpXoQeL83LYOYou could make a script to do it, put it on a server, and make it run in a login script. Link to comment Share on other sites More sharing options...
chilifrei64 Posted August 19, 2005 Share Posted August 19, 2005 I am only assuming here... With 150 machines i would assume you maybe have a domain controller and with that being said you could deploy these permissions via group policy very easily. This assumes you:1) Have a domain2) Have all Windows 2000/XP/2003 Machines3) No Win9x/ME machines Link to comment Share on other sites More sharing options...
prey Posted August 25, 2005 Author Share Posted August 25, 2005 Hello again folks!I know I should have gotten back to you on this a bit earlier, but anyways..I DID solve the problem using Windows XP own command line tool.Silly I did not realize that with Windows XP comes a version of REGINI, which does the job with no problem. To answer chilifrei64:No – surprisingly there is no domain ( this is about to change though ) I have been at this new job for only 3 week, and part of my future project is to consolidate the infrastructure, and set up a central Directory service – in this case we will be using Novell Netware and ZEN.Yes – All workstations are running Win XP ( I had to do some running around at my first week here to clean out the remaining Win 9x & Win2KNow the reason for the hurried solution was that I needed a class of students to run a certain program, which required the students to have “read/write/change” permissions to tw0 registry keys (and all sub keys of those two) Along side this I needed to give permissions specific directories and files, and thus the solution got to look like this (two files)DanK.cmf:%systemdrive%REGINI [sERVER SHARE]\dankost.sctECHO Y| CACLS "C:\Program Files\Common Files\Borland Shared" /E /G Users:FECHO Y| CACLS "C:\Program Files\Common Files\Borland Shared\*.*" /E /G Users:FECHO Y| CACLS "C:\Program Files\Dansk Catering Center\DK3000\Data" /E /G Users:FECHO Y| CACLS "C:\Program Files\Dansk Catering Center\DK3000\Data\*.*" /E /G Users:FECHO Y| CACLS "C:\PROGRA~1\DANSKC~1\DK3000\Data\Net" /E /G Users:FECHO Y| CACLS "C:\PROGRA~1\DANSKC~1\DK3000\Data\Net\*.*" /E /G Users:FECHO Y| CACLS C:\TEMP\DKPrv /E /G Users:FECHO Y| CACLS C:\TEMP\DKPrv\*.* /E /G Users:FECHO Y| CACLS C:\PDOXUSRS.NET /E /G Users:FPauseDANKOST.SCT:\Registry\Machine\Software\Borland [1 5 7]\Registry\Machine\Software\Borland\BLW32 [1 5 7] \Registry\Machine\Software\Borland\Database Engine [1 5 7] \Registry\Machine\Software\Borland\Database Engine\Settings\ [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\DB2 [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\DB2\DB OPEN [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\DB2\INIT [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\DBASE [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\DBASE\DB OPEN [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\DBASE\INIT [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\FOXPRO [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\FOXPRO\DB OPEN [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\FOXPRO\INIT [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\INFORMIX [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\INFORMIX\DB OPEN [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\INFORMIX\INIT [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\INTBASE [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\INTBASE\DB OPEN [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\INTBASE\INIT [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\MSACCESS [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\MSACCESS\DB OPEN [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\MSACCESS\INIT [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\MSSQL [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\MSSQL\DB OPEN [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\MSSQL\INIT [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\ORACLE [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\ORACLE\DB OPEN [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\ORACLE\INIT [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\PARADOX [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\PARADOX\DB OPEN [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\PARADOX\INIT [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYBASE [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYBASE\DB OPEN [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYBASE\INIT [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\REPOSITORIES [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYSTEM [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYSTEM\FORMATS [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYSTEM\FORMATS\DATE [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYSTEM\FORMATS\NUMBER [1 5 7]\Registry\Machine\Software\Borland\Database Engine\Settings\DRIVERS\SYSTEM\INIT [1 5 7]\Registry\Machine\Software\Borland\InterBase [1 5 7] \Registry\Machine\Software\Borland\InterBase\CurrentVersion [1 5 7] \Registry\Machine\Software\Dansk Catering Center [1 5 7]\Registry\Machine\Software\Dansk Catering Center\Dankost 3000 [1 5 7]\Registry\Machine\Software\Dansk Catering Center\Dankost 3000\3000.20.17.2014 [1 5 7]\Registry\Machine\Software\Dansk Catering Center\DK3000 [1 5 7]Thanks for your help anyway!Kind Regards.Martin Andersen Link to comment Share on other sites More sharing options...
Martin Zugec Posted August 25, 2005 Share Posted August 25, 2005 Command for advanced ACL setting is SubInAcl. You can also control ACL for services etc. Link to comment Share on other sites More sharing options...
prey Posted August 25, 2005 Author Share Posted August 25, 2005 Hey Zugec!How do you use that command? My XP installation isn’t responding properly to that line...?Kind Regards.Martin Andersen Link to comment Share on other sites More sharing options...
Martin Zugec Posted August 25, 2005 Share Posted August 25, 2005 It is from Resource Kit (available for free from www.microsoft.com) Link to comment Share on other sites More sharing options...
Martin Zugec Posted August 25, 2005 Share Posted August 25, 2005 It is really powerfull tool:SubInAcl version USAGE-----Usage : SubInAcl [/view_mode] [/test_mode] [/output=FileName] /object_type object_name [/action[=parameter] [/action[=parameter]]... /view_mode : /noverbose /verbose (default=/verbose=2) /verbose=1 /verbose=2 /test_mode : /notestmode (default=/notestmode) /testmode /object_type : /service /keyreg /subkeyreg /file /subdirectories /share /clustershare /kernelobject /metabase /printer /onlyfile /action : /display(default) /setowner=owner /replace=[DomainName\]OldAccount=[DomainName\]New_Account /changedomain=OldDomainName=NewDomainName /migratetodomain=SourceDomain=DestDomain /findsid=[DomainName\]Account[=stop] /suppresssid=[DomainName\]Account /confirm /ifchangecontinue /cleandeletedsidsfrom=DomainName /testmode /accesscheck=[DomainName\]Username /setprimarygroup=[DomainName\]Group /grant=[DomainName\]Username[=Access] /deny=[DomainName\]Username[=Access] /revoke=[DomainName\]UsernameUsage : SubInAcl [/view_mode] /playfile file_nameUsage : SubInAcl /help [keyword] SubInacl /help /full keyword can be : features usage syntax sids view_mode test_mode object_type domain_migration substitution_features editing_features - or - any [/action] [/object_type]SYNTAX------The SubInAcl syntax is analog to the UNIX find tool.For each object, SubInAcl : 1. retrieves the security descriptor of the object 2. applies the /action(s). The /actions are executed in the order of the command line 3. If : - the security descriptor has been modified and - the /testmode switch has not been specified the changes are applied to the object For instance : - SubInAcl /output=result.txt /subdirectories \\Server\c$\temp\*.* /grant=Dom\John=F /noverbose /display For each file below \\Server\c$\temp, SubInAcl will - open the file - grant full control for dom\john - display the security setting in noverbose mode - save the security descriptor. All outputs will be saved in result.txtYou can specify as many /actions as you wish. You must specify at least 3characters for each action.The command line is not case-sensitiveEx: SubInAcl /file c:\temp\*.txt /replace=John=Smith /display for each *.txt file will - replace John with Smith - display the whole security descriptor - apply the changes if anySubInAcl error messages are sent to the Standard error.You can use the /output switch to save both outputsand errors in the same file.FEATURES--------SubInAcl was designed to help administrators to manage security onvarious objects.It provides : - a unified way to manipulate security for different kinds of objects (files, registry keys, services, printer,...) - a console tool that allows to write scripts to automate security tasks - some features that help administrators to modify security if some changes occur in their organization: - user, group deletions (/suppresssid, /cleandeletedsidsfrom ) - user, group migrations (/replace) - domain migration (/changedomain, /migratetodomain) ... - security descriptor editing features : - owner ( /setowner ) - primary group ( /setprimarygroup ) - permissions ( /grant , /deny , /revoke ) - access to remote objects - save and restore permissions (/playfile , /output , /display )You need SeBackupPrivilege SeRestorePrivilegeSeSecurityPrivilege SeTakeOwnershipPrivilege SeChangeNotifyPrivilege privileges (locally or remotely) to run this toolType SubInAcl /help to get extended helpSIDS----The security descriptor references a user,group,.. with a SID (SecurityIdentifier). An SID can be expressed in one of the following form : + DomainName\Account (ex: DOM\Administrators ) + StandaloneServer\Group + Account ( see LookupAccount API ) + s-1-x-x-x-x . x is expressed in decimal (ex: S-1-5-21-56248481-1302087933-1644394174-1001) Warning : In that case, no check is done to verify the existence of this SID.SubInAcl maintains a local cache of SIDs to minimize SID to "Human Name"translation network costVIEW_MODE---------SubInAcl can be used in a quiet mode (/noverbose) or a in 2 verbose modes(/verbose , /verbose=1 )You can specify these switches either : - for the entire comand line : SubInAcl /noverbose /file *.dat /display - after a specific action : SubInacl /file *.dat /display /noverbose /displayThe /verbose=1 mode may be used with /display to display perm. ACEs using/grant or /deny notations.TEST_MODE---------If /testmode is specified, the changes will not be reflected to the objectsecurity descriptor. This option is usefull to test the validity of a comand.Ex : SubInacl /subdirec \\server\share\*.* /changedomain=DOMA=DOMB /ifchangecontinue /noverbose /display /testmode For each file modified this comand displays the modified security descriptor. But these changes will not physically apply to the filesOBJECT_TYPE-----------SubInAcl can work with various objects: - Files : /file /subdirectories /onlyfile - Registry keys : /keyreg /subkeyreg - Services : /service - Shares : /share /clustershare - Printer : /printer - Kernel named objects : /kernel - IIS adminidstration rights : /metabaseThe actions are valid for all objectsMost of them support the enumeration with the * characterDOMAIN_MIGRATION----------------The main purpose of SubInAcl is to help administrators to migrate user(s)if the domain architecture has changed. For instance, the user John hasmoved and is now member of the DOMB organization.You can reflect this change with :SubInAcl /subdirec \\server\share\*.* /replace=OldDomain\John=DOMB\JohnN.B: A trust relationship must be enabled between the domain of server andOldDomain and NEWDOMAINSample : You have worked with a unique domain. You want to migrate a BDC named MIGRCONTROL with all the files and the users utilized on a new domain 1. Reinstall the BDC as PDC to the NEWDOMAIN (without erasing the files) 2. Create the users on NEWDOMAIN 3. Create a "trusted relationship" with OLDDOMAIN 4. Run SubInAcl /noverbose /subdirectories x:\*.* /changedomain=OLDDOMAIN=NEWDOMAIN 5. Verify the changes with SubInAcl /noverbose /subdirectories x:\*.* Sample : You have worked with a standalone server named SERVER in a workgroup environment. You want to move this server (including users) to a domain DOM. 1. Move SERVER to the domain DOM 2. Create the users in the DOM domain 3. SubInAcl /noverbose /subdirectories \\server\share /changedomain=SERVER=DOM See /changedomain /migratedomain /replace actionsEDITING_FEATURES----------------SubInAcl allows to modify each part of a a security descriptor :- owner see /owner=SID or /setowner=SID- primary group see /setprimarygroup=GroupSID- system ACL (SubInAcl name = Audit ACL) with Access Control Entries (SubInAcl name= AAce = Audit ACE) see /audit /aace=xxx- discretionnary ACL (SubInAcl name = Perm ACL ) with Access Control Entries (SubInAcl name= PAce = Perm ACE) see /perm /pace=xxx /revoke=SID /grant=SID=Access /deny=SID/SERVICE--------manipulate service- \\ServerName\Messenger- Messenger/KEYREG-------manipulate registry keys- HKEY_CURRENT_USER\Software- HKEY_CURRENT_USER\Software\*Version- \\Srv\HKEY_LOCAL_MACHINE\KeyPath/SUBKEYREG----------manipulate registry keys and subkeys- HKEY_CURRENT_USER\Software- HKEY_CURRENT_USER\Software\*Version- \\Srv\HKEY_LOCAL_MACHINE\KeyPath/FILE-----manipulate filesN.B: SubInAcl is not supported on DFS volumes- *.obj- c:\temp\*.obj- \\servername\share\*.exe/SUBDIRECTORIES---------------manipulate files in specified directory and all subdirectories- c:\temp\*.obj : work with all obj files- c:\temp\test : work with all test files under temp directory- c:\temp\test\*.* : work with all files uner temp\test/ONLYFILE---------open a file without using the FindFilexxx mechanism.Can be used to access named pipes or mailslot- \\.\pipe\pipename/SHARE------access a network file share.- \\server\share/CLUSTERSHARE-------------access a cluster file share resource.- \\clustername\FileShare_Resource_Name- \\clustername\s*/KERNELOBJECT-------------access a named kernel object.Can be used to view mutex, sections, events objects/METABASE ----------access to IIS metabase AdminACL metabase propertyNote that this property can only be used with these Metabase paths/LM/MSFTPSVC , /LM/MSFTPSVC/n , /LM/W3SVC , /LM/W3SVC/This object doesn't support enumeration. - SubInAcl /metabase \\ServerName\LM\W3SVC /grant=administrator=F/DISPLAY--------display the security descriptorThe /noverbose display can be used to reapply the security descriptor(see /playfile)/PLAYFILE PLAYFILE.TXT----------------------- You can reapply security settings saved with with the /noverbose /display option 1. save settings : SubInAcl /output=c:\subinaclsave.txt /noverbose /display 2. replay settings : SubInAcl /playfile c:\subinaclsave.txt- The playfile.txt can contain any valid options and can be used to batch SubInAcl commands playfile.txt : +subdirec *.txt /noverbose /grant=everyone=R +services RkillSrv /display/OUTPUT-------/output=filename.txtall outputs and errors will be send in the filename.txt/OWNER------will change the owner of the object/owner=SIDowner = DomainName\Administrators will retrieve the Administrators Sid onthe server where the object is (see Win32 SDK LookupAccountName function)./REPLACE--------/replace=DomainName\OldAccount=DomainName\New_Account replace all ACEs (Audit and Permissions) in the object Ex: /replace=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan will replace all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID retrieves from NEWDOM domain/CLEANDELETEDSIDSFROM---------------------/cleandeletedsidsfrom=DomainName delete all ACEs containing deleted (no valid) Sids from DomainName/CHANGEDOMAIN-------------/changedomain=OldDomainName=NewDomainName replace all ACEs with a Sid from OldDomainName with the equivalent Sid found in NewSamServer Ex: /changedomain=DOM_MARKETING=NEWDOMAIN replace all ACEs containing DOM_MARKETING\ChairMan SID with the ChairMan's SID retrieved on NEWDOMAIN computer The NEWDOMAIN must have a trusted relationship with the server containing the object/MIGRATETODOMAIN----------------/migratetodomain=FromDomainName=ToDomainName same behavior than /changedomain except that news ACEs will added instead of replacing Ex: /migratetodomain=DOM1=DOM2 each ace with DOM1\User will be duplicated with DOM2\User (If DOM2\User exists) If during the migration there was a serious oversight you can instruct the user to log back onto DOM1. N.B: Owner and Primary Group are migrated to DOM2/FINDSID--------/findsid=DomainName\Account[=stop] display the object name containing a reference to DomainName\Account in the security descriptor/SUPPRESSSID------------/suppresssid=DomainName\Account suppress all ACES containing the DomainName\Account SID. If the object's owner is DomainName\Account, the owner is set to Everyone's SID./PERM-----/perm suppress all existing permissions aces (PACEs)/AUDIT------/audit suppress all existing auditing aces (AACEs)/IFCHANGECONTINUE-----------------/ifchangecontinue continue to process the next actions only if some changes have been made in the previous actions/TESTMODE---------/testmode changes will not be applied to the object. This allows to test the modifications/ACCESSCHECK------------/accesscheck=Domain\Username display the access granted to the Domain\Username. The password will be asked. This option requires the SeTcbName privilege (Act as Part of the Operating System). This option cannot be used with remote object. Note : the access is checked with the NETWORK security identified granted to the Domain\UserName/SETPRIMARYGROUP----------------/setprimarygroup=[DomainName\]Group change the primary group/DENY-----/deny=[DomainName\]User[=Access]= add a denied Permission Ace for the specified User (or group) If Access is not specified, all accesses will be denied. File: F : Full Control C : Change R : Read P : Change Permissions O : Take Ownership X : eXecute E : Read eXecute W : Write D : Delete ClusterShare: F : Full Control R : Read C : Change Printer: F : Full Control M : Manage Documents P : Print KeyReg: F : Full Control R : Read A : ReAd Control Q : Query Value S : Set Value C : Create SubKey E : Enumerate Subkeys Y : NotifY L : Create Link D : Delete W : Write DAC O : Write Owner Service: F : Full Control R : Generic Read W : Generic Write X : Generic eXecute L : Read controL Q : Query Service Configuration S : Query Service Status E : Enumerate Dependent Services C : Service Change Configuration T : Start Service O : Stop Service P : Pause/Continue Service I : Interrogate Service U : Service User-Defined Control Commands Share: F : Full Control R : Read C : Change Metabase: F : Full Control R : Read - MD_ACR_READ W : Write - MD_ACR_WRITE I : Restricted Write - MD_ACR_RESTRICTED_WRITE U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ E : Enum keys- MD_ACR_ENUM_KEYS D : write Dac- MD_ACR_WRITE_DAC/REVOKE-------/revoke=[DomainName\]User suppress all Permission Ace(s) for the specified User (or group)/GRANT------/grant=[DomainName\]User[=Access] will add a Permission Ace for the user. if Access is not specified, the Full Control access will be granted. File: F : Full Control C : Change R : Read P : Change Permissions O : Take Ownership X : eXecute E : Read eXecute W : Write D : Delete ClusterShare: F : Full Control R : Read C : Change Printer: F : Full Control M : Manage Documents P : Print KeyReg: F : Full Control R : Read A : ReAd Control Q : Query Value S : Set Value C : Create SubKey E : Enumerate Subkeys Y : NotifY L : Create Link D : Delete W : Write DAC O : Write Owner Service: F : Full Control R : Generic Read W : Generic Write X : Generic eXecute L : Read controL Q : Query Service Configuration S : Query Service Status E : Enumerate Dependent Services C : Service Change Configuration T : Start Service O : Stop Service P : Pause/Continue Service I : Interrogate Service U : Service User-Defined Control Commands Share: F : Full Control R : Read C : Change Metabase: F : Full Control R : Read - MD_ACR_READ W : Write - MD_ACR_WRITE I : Restricted Write - MD_ACR_RESTRICTED_WRITE U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ E : Enum keys- MD_ACR_ENUM_KEYS D : write Dac- MD_ACR_WRITE_DAC Link to comment Share on other sites More sharing options...
prey Posted August 25, 2005 Author Share Posted August 25, 2005 Looks nice indeed! But in this particular case I needed and out-of-the-box solution.But I will keep this tool in mind for its many other uses.Kind Regards.Martin Andersen Link to comment Share on other sites More sharing options...
Martin Zugec Posted August 25, 2005 Share Posted August 25, 2005 You can of course use my technique (store command on DC and call them from clients). Yep, it is really great tool, however quite hard for normal administrators...I discovered it when I needed to grant permission for one user to restart one specified service (of course without giving him server admin permissions) Link to comment Share on other sites More sharing options...
Shamwari Posted August 25, 2005 Share Posted August 25, 2005 Thanks for the information about this tool Martin Zugec- it is the first time I have heard of it- just wish I had known about this before! Link to comment Share on other sites More sharing options...
Martin Zugec Posted August 25, 2005 Share Posted August 25, 2005 We all are learning all the time I was glad I could help Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now