hi, i need to give the user emea\testuser full rights to the following registry hive HKLM\Software\Test.
can i do this with xcacls? i cant seem to find any examples of how to use it with registry folders?
if someone can post a command line for xcacls setting permissions on a registry hive i would be greatful!
thx
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
Tricky, principally because XCACLS can't set registry permissions. Use SetACL instead:

SetACL -on "HKLM\SOFTWARE\SomeKeyOrOther" -ot reg -actn ace -ace "n:[Domain\GroupName];p:full"

For file permissioning:

SetACL -on "x:\SomePath_Or_File" -ot file -actn ace -ace "n:[GroupName];p:change"

http://setacl.sourceforge.net/index.html

Add SetACL.EXE (a free download) as a binary and you won't have to worry about installing it.
Answered 11/19/2007 by: VBScab
Red Belt

Please log in to comment
0
You can set registry permissions using subinacl. Its just a standalone exe as well! Here is example syntax for it's use:

subinacl /keyreg HKEY_LOCAL_MACHINE\Software\test /grant=emea\testuser
Answered 11/19/2007 by: James
Senior Yellow Belt

Please log in to comment
0
subinacl /keyreg HKEY_LOCAL_MACHINE\Software\test /grant=emea\testuser

subinacl /keyreg HKEY_LOCAL_MACHINE\Software\test /grant=emea\testuser=f

You missed off the actual right that's to be granted.
Answered 11/19/2007 by: VBScab
Red Belt

Please log in to comment
0
So how would I add the following to my MSI using Orca?

setacl.exe -on "HKLM\SOFTWARE\Daktronics" -ot reg -actn ace -ace "n:users;p:full"

What would I put in the action, type, source, and target fields?
Answered 11/21/2007 by: joedown
Second Degree Brown Belt

Please log in to comment
0
Hi Joe,
here is an example for making a custom action with 'setacl.ocx':
http://www.adminscripteditor.com/scriptlibrary/view.asp?id=523
Although, it shows file permissions, the CA stuff will be much the same for registry permission.
Hope this gives you some ideas.
Regards, Nick
Answered 11/22/2007 by: nheim
Tenth Degree Black Belt

Please log in to comment
0
I'll check that out. Is it easier to use an .ocx or a .exe to do this? I'm familiar with setacl.exe but not setacl.ocx although I assume they do the same thing.
Answered 11/28/2007 by: joedown
Second Degree Brown Belt

Please log in to comment
0
I usually use SECEDIT for registry perms. I add the security template and secedit.sdb to my MSI and create a custom action to pass the command just before 'INSTALLFINALIZE' sequence. Making the security templatye is easy, just do it on any system that has the entry you want to modify and presto! Copy the files from C:\windows\security\templates and C:\windows\security\database respectively. It works really well for the file system as well.
Answered 11/29/2007 by: Coriolus
Orange Belt

Please log in to comment
Answer this question or Comment on this question for clarity