What's the best way setting permissions in registry using Wise Package Studio 5.x ... most effectively and convenient (regarding repair) ... i dont like regini having to copy an .exe and .ini to client .. SetACL is more my way to go ... what is yours?

Bart [8|]
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
I agree with you on the "Regini" subject - I'm not fond of this tool either.

SetACL is a very good tool which is relatively easy to use - I'd consider making "SetACL.ocx" part of any desktop SOE build. Alternatively, I might make a "SetACL.msm" merge-module and include it in any packages where registry permissions need to be modified - then I could use a VBScript CA.

As a VBScript fan, I guess my favorite method might be WMI - although the script isn't the easiest to write.
Answered 06/01/2005 by: WiseUser
Fourth Degree Brown Belt

Please log in to comment
0
Could you post an example of the VBScript that would call SetACL.ocx to set permissions? I need to brush up on VB CA's and this is something I could definitely use.
Answered 06/01/2005 by: VikingLoki
Second Degree Brown Belt

Please log in to comment
0
Hi VikingLoki.

Here's a script from my archives - I don' remember if I wrote it myself or if just adapted someone else's code? You may have to play around with it a bit to get it how you want it. The indentation will have to be restored, because it's always lost when I post a script.


Dim oACLTool

Const SE_FILE_OBJECT = 1
Const SE_REGISTRY_KEY = 4

Const ACTN_ADDACE = 1

Const INHPARNOCHANGE = 0

Const GRANT_ACCESS = 1

Const ACL_DACL = 1

'examples

Msgbox AddFileorFolderACE("C:\Test.txt", "user", "full")
Msgbox AddFileorFolderACE("C:\Test", "User", "change")
Msgbox AddRegistryACE("hklm\software\AAAAAAAAAAAAAA\", "user", "full")


Function AddFileorFolderACE(sFilePath, sUser, sPerm)
On Error Resume Next

Dim iError

AddFileorFolderACE = True

Set oACLTool = CreateObject("SETACL.SetACLCtrl.1")

iError = oACLTool.SetObject(sFilePath, SE_FILE_OBJECT)
If iError <> 0 Then AddFileorFolderACE = False

iError = oACLTool.SetAction(ACTN_ADDACE)
If iError <> 0 Then AddFileorFolderACE = False

iError = oACLTool.AddACE(sUser, False, sPerm, INHPARNOCHANGE, False, GRANT_ACCESS, ACL_DACL)
If iError <> 0 Then AddFileorFolderACE = False

iError = oACLTool.Run
If iError <> 0 Then AddFileorFolderACE = False

Set oACLTool = Nothing

End Function


Function AddRegistryACE(sRegKey, sUser, sPerm)
On Error Resume Next

Dim iError

AddRegistryACE = True

Set oACLTool = CreateObject("SETACL.SetACLCtrl.1")

iError = oACLTool.SetObject(sRegKey, SE_REGISTRY_KEY)
If iError <> 0 Then AddRegistryACE = False

iError = oACLTool.SetAction(ACTN_ADDACE)
If iError <> 0 Then AddRegistryACE = False

iError = oACLTool.AddACE(sUser, False, sPerm, INHPARNOCHANGE, False, GRANT_ACCESS, ACL_DACL)
If iError <> 0 Then AddRegistryACE = False

iError = oACLTool.Run
If iError <> 0 Then AddRegistryACE = False

Set oACLTool = Nothing

End Function

For those who don't know this tool see the following link:

http://setacl.sourceforge.net

Obviously, the OCX has to be registered before this will do anything!

There may even be some better examples on Helge Kleins website - I haven't checked?
Answered 06/01/2005 by: WiseUser
Fourth Degree Brown Belt

Please log in to comment
0
Something we do at my company is we create a security template inf file and a CA for secedit on Windows 2000 and XP.

Run the MMC snap in and open the Security Templates. Create a Security template that fits your needs for either file folder and\or registry permissions. Then save the template.

Add the inf file to your install by either copying it to the [WindowsFolder]Security\Templates or add it to the iniFile table (InstallShield allows an easy import).

Add entries to the Directory table to the folder [WindowsFolder]Security\Templates and [WindowsFolder]Security\Database.

Add the Custom Action to call the inf using secedit
Type:
3170

Source:
SystemFolder

Target:
secedit /configure /DB "[SecDBFolder]application.sdb" /CFG "[SecTemplates][PKGID].inf" /verbose /log "[WindowsFolder]Log\[PKGID]-secedit.log"

This works out pretty good for me, but I have not used the SetACL.ocx so I do not have a good basis for comparison.
Answered 06/03/2005 by: TomB
Orange Belt

Please log in to comment
0
....or use this script embedded in a custom action with your Security Template.
The template should be added to the package.

This works great since it's fast and totally silent (no DOS boxes flying around)
==================================================

'Secedit script v1.1
'Purpose 1. Hidden execution of the secedit command.
' 2. Secedit will only run once per machine
' 3. Secedit will only run if the user has execution rights

Set ws = CreateObject("Wscript.Shell")
Set fs = CreateObject("Scripting.FilesystemObject")

Dim Regpath, Infname, Regtype, Security, sdbpath, cfgfile, ret

Infname = "Business-Objects-SA-Business-Objects-5.1.inf" 'Variable per MSI-package

Regpath = "HKLM\SOFTWARE\INFSTATE\"
Regtype = "REG_EXPAND_SZ"
Security ="Secedit /configure"
cfgloc = "\security\templates\"
wssys = ws.ExpandEnvironmentStrings("%Systemroot%")
set syspath = fs.GetFolder(wssys)
sdbpad = " /db " & syspath &"\security\Database\applics.sdb"
cfgfile = " /cfg " & syspath & cfgloc
ret = 1

On error resume next
Err.Clear
If Readfile("\security\Database\secedit.sdb") then
If not Readkey() then
if Readfile(cfgloc & infname) then
ret=ws.Run(Security & sdbpad & cfgfile & Infname & " /quiet",0,"true")
if Err.number <> 0 then
ws.Logevent 1, "Secedit execution of " & Infname & " Failed with errorcode: " & _
Err.number & " Description: " & Err.Description
Else
Writekey()
end if
Else
ws.Logevent 1, syspath & cfgloc & infname & _
" couldn't be found on the specified location during execution of secedit."
end if
Err.Clear
End if
End if

Function Readfile(filetochk)
Dim pathfile
pathfile = syspath & filetochk
Readfile = (fs.FileExists(pathfile))
End Function

Function ReadKey()
on error resume next
u="jgv"
u=ws.RegRead(Regpath & Infname)
If u = "Done" then
ReadKey = True
Else
ReadKey = False
Err.Clear
End if
End Function

Function WriteKey()
on error resume next
o=ws.RegWrite(Regpath & Infname, "Done", Regtype)
End Function
Answered 08/05/2005 by: ZhuBaJie
Orange Belt

Please log in to comment
0
Sorry, but I really don't understand what you are talking about.
Permissions in regsitry ?
Someone could explain it briefly ?

Thanks.
Answered 08/05/2005 by: babric
Senior Purple Belt

Please log in to comment
0
The exact same as permission with files but setting permission for regkeys.
Grap your regedit, select a key and then click Permissions in the Edit menu.

Was that briefly? ;)
Answered 08/05/2005 by: AngelD
Red Belt

Please log in to comment
0
Was that briefly? ;)
yes, but I don't have any "Permission" option in the Edit Menu...[:(]
Answered 08/05/2005 by: babric
Senior Purple Belt

Please log in to comment
0
What OS are you using?
Answered 08/05/2005 by: WiseUser
Fourth Degree Brown Belt

Please log in to comment
0
EDIT : Win 2000
http://img296.imageshack.us/my.php?image=registry9kk.gif

I tried under XP Pro, and... I found it :-)

So, guess that there are no permissions in 2000 ?
Answered 08/05/2005 by: babric
Senior Purple Belt

Please log in to comment
0
hmm ehhhh, bummer? ;)
regedit must be corrupted or something, never seen that one before.
Answered 08/05/2005 by: AngelD
Red Belt

Please log in to comment
0
bummer

Sorry but I don't speak english very well, what do you mean by "bummer" ? disappointed ?

Thank you to increase my english skills :-)
Answered 08/05/2005 by: babric
Senior Purple Belt

Please log in to comment
0
lets translate that to "tough luck" [;)]

Your regedit picture looks more like regedit in windows 2000 as that version does not have the Permissions option either.
Answered 08/05/2005 by: AngelD
Red Belt

Please log in to comment
0
Babric,

There are registry permissions in Windows 2000, to view them you have to run regedt32.exe

Rgds

Paul
Answered 08/08/2005 by: plangton
Second Degree Blue Belt

Please log in to comment
0
lets translate that to "tough luck"

Thanks :-)


There are registry permissions in Windows 2000, to view them you have to run regedt32.exe


Thanks too :-)
Answered 08/09/2005 by: babric
Senior Purple Belt

Please log in to comment
Answer this question or Comment on this question for clarity