Hi Gurus,
I need to give permission to couple of registry keys in locked down environment so as a normal user can use the application. Here I am trying to package Flash Player. Within MSI in permissions section its asking to me to enter my domain and user but I want to give for all user not just one.

Any ideas grately appreciated.

0 Comments   [ + ] Show Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.


In general, I'd suggest you avoid using the LockPermissions table, not least because it doesn't allow you to add permissions, meaning you have to remember to add 'Administrators', etc, etc, as well as the actual users you want. Instead, use a Custom Action to call any of the command-line permissioning tools. My preference is for SetACL because it can permission file and registry access using more or less identical syntax.
Answered 07/26/2007 by: VBScab
Red Belt

Please log in to comment
Hi VBScab,
Thanks for your suggestion. I am currently looking at SetACL tool but unable to figure out the correct syntax for permissioning the registry Ex: CLASSES_ROOT\CLSID\

If possible can you please give me the right syntax or point me towards more meaningful explanation website.

Thanks a zillion.
Answered 07/26/2007 by: dola
Yellow Belt

Please log in to comment
you can use setacl like this, just make sure you copy the setacl.exe file to the folder you are running from.


dim source
source = whatever your source is

oShell.Run (Source & "SetAcl " & """MACHINE\Software\whatever""" & " /Registry /grant users /full", 0, True)
Answered 07/26/2007 by: linstead
Blue Belt

Please log in to comment
careful, i've seen machines freeze up when you do that with XP. I try to narrow it down to at least the subkey needed, not give full perms to the entire hive.
Answered 07/26/2007 by: aogilmor
Ninth Degree Black Belt

Please log in to comment
you can also use the following tools i like subinacl of the group as it can permission almost anything ie files reg shares etc etc


you can create sdb files to be deployed via gpo but these are limited to a single domain so can be problematic from other domains

note there is also some considerable changes to permissions with Vista for more details.

Answered 07/26/2007 by: jmcfadyen
Fifth Degree Black Belt

Please log in to comment
Answer this question or Comment on this question for clarity