Software Deployment

[8D]

Hello Colin,

Once you have your SECEDIT .inf file, the following command should suffice:

secedit.exe /configure /db "C:\Windows\Security\Database\UNIQUE_REFERENCE.sdb" /cfg "SECEDIT_FILE.inf" /areas REGKEYS FILESTORE /quiet

where:

UNIQUE_REFERENCE = A unique file name referring to your SECEDIT_FILE name
SECEDIT_FILE = Your SECEDIT .inf file name


Example:
secedit.exe /configure /db "C:\Windows\Security\Database\AdobeAcrobat_700.sdb" /cfg "AdobeAcrobat_700.inf" /areas REGKEYS FILESTORE /quiet


[8D] Keep cool. [8D]

Hi Col,

I looked at using Secedit back along and the most useful info I found in my short time looking is here.

You can ignore the Prism specific stuff, the basics of using Secedit is there. I did get it working but it all seemed a bit heavy handed for my requirements so I just ended up using the lock permissions table [:D]

Anyway, hope it's of some use to you. I know other people on this forum use this Secedit every day so will probably be able to give you more specific help if you need it.

Regards,
Rob.

Thanks for the reply boys.

Brent , what does it do with the database? I don't really get how that bit works. Does it just need somewhere to write the existing information to., or does it read from and compare? I'm concerned about the irrelevant settings being transfered to the new machine.

Thanks

Col

[8D]

Running the secedit command in my previously post will create a new database (.sdb file) in that folder (C:\windows\security\database).

The only thing that should be in your .inf file are the objects/security info you actually want to apply.

Here is an example of a security template .inf file to set 'builtin users group' permissions on a registry key:


[Unicode]
Unicode=yes
[Registry Keys]
"MACHINE\SOFTWARE\MyApplication\Settings",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KA;;;BU)"
[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
Description=An example of permissioning a registry key with 'user' rights with inheritable settings enabled.



[8D] Cool? [8D]

In a nutshell, it's the process of adding a Local Security Policy to the machine via the command line. Same thing, no GUI.

Yep, though Colin wanted a Custom Action to do it. (ie: no GUI.)

But what does it put in the database?

I've got a nice simple inf file:

[Unicode]
Unicode=yes
[Registry Values]
[Registry Keys]
"CLASSES_ROOT\Software\RealNetworks",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KA;;;BU)"
[Version]
signature="$CHICAGO$"
Revision=1

Which tells it everything I want it to know - Change the permissions on that key, and that's it, don't touch anything else, hands off, leave it alone, it's nothing to do with you.

I'm just a bit scared of adding unnecessarys into the equation. Or is the database just a merge of what exists and what will exist with the inf file applied?

Thanks for taking the time.

Hi Guys,

I have used lock permissions table and secedit method.I prefer secedit method.
I have attached a small doc for reference.

In addition two Vb scripts have to be included and it is called from the property.If you guys are interested i can give the vb scripts also.

I have learnt this from my client in NL.

Kind Regards,

Nagaraj

Hi

It looks like i do not have permission to attach some files.

I have just used this method to create a custom action and it works nicely except that i cannot suppress the command box. the /quiet option just seems to suppress the info within the box but i still get a command box popping up - is that standard or am i doing somethign wrong?

My CA table has this entry

DB_UNSET_REGISTRY_PERMSSIONS,3234,SystemFolder, Secedit.exe /configure /db secedit.sdb /cfg [WindowsFolder]security\templates\winrar.inf /areas regkeys /quiet

[8D]

You could try to run the secedit command using the 'start' command with the 'MIN' switch