/bundles/itninjaweb/img/Breadcrumb_cap_w.png
What's the best way setting permissions in registry using Wise Package Studio 5.x ... most effectively and convenient (regarding repair) ... i dont like regini having to copy an .exe and .ini to client .. SetACL is more my way to go ... what is yours?

Bart [8|]
0 Comments   [ - ] Hide Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
Answer this question or Comment on this question for clarity

Answers

0
I agree with you on the "Regini" subject - I'm not fond of this tool either.

SetACL is a very good tool which is relatively easy to use - I'd consider making "SetACL.ocx" part of any desktop SOE build. Alternatively, I might make a "SetACL.msm" merge-module and include it in any packages where registry permissions need to be modified - then I could use a VBScript CA.

As a VBScript fan, I guess my favorite method might be WMI - although the script isn't the easiest to write.
Answered 06/01/2005 by: WiseUser
Fourth Degree Brown Belt

Please log in to comment
0
Could you post an example of the VBScript that would call SetACL.ocx to set permissions? I need to brush up on VB CA's and this is something I could definitely use.
Answered 06/01/2005 by: VikingLoki
Second Degree Brown Belt

Please log in to comment
0
Hi VikingLoki.

Here's a script from my archives - I don' remember if I wrote it myself or if just adapted someone else's code? You may have to play around with it a bit to get it how you want it. The indentation will have to be restored, because it's always lost when I post a script.


Dim oACLTool

Const SE_FILE_OBJECT = 1
Const SE_REGISTRY_KEY = 4

Const ACTN_ADDACE = 1

Const INHPARNOCHANGE = 0

Const GRANT_ACCESS = 1

Const ACL_DACL = 1

'examples

Msgbox AddFileorFolderACE("C:\Test.txt", "user", "full")
Msgbox AddFileorFolderACE("C:\Test", "User", "change")
Msgbox AddRegistryACE("hklm\software\AAAAAAAAAAAAAA\", "user", "full")


Function AddFileorFolderACE(sFilePath, sUser, sPerm)
On Error Resume Next

Dim iError

AddFileorFolderACE = True

Set oACLTool = CreateObject("SETACL.SetACLCtrl.1")

iError = oACLTool.SetObject(sFilePath, SE_FILE_OBJECT)
If iError <> 0 Then AddFileorFolderACE = False

iError = oACLTool.SetAction(ACTN_ADDACE)
If iError <> 0 Then AddFileorFolderACE = False

iError = oACLTool.AddACE(sUser, False, sPerm, INHPARNOCHANGE, False, GRANT_ACCESS, ACL_DACL)
If iError <> 0 Then AddFileorFolderACE = False

iError = oACLTool.Run
If iError <> 0 Then AddFileorFolderACE = False

Set oACLTool = Nothing

End Function


Function AddRegistryACE(sRegKey, sUser, sPerm)
On Error Resume Next

Dim iError

AddRegistryACE = True

Set oACLTool = CreateObject("SETACL.SetACLCtrl.1")

iError = oACLTool.SetObject(sRegKey, SE_REGISTRY_KEY)
If iError <> 0 Then AddRegistryACE = False

iError = oACLTool.SetAction(ACTN_ADDACE)
If iError <> 0 Then AddRegistryACE = False

iError = oACLTool.AddACE(sUser, False, sPerm, INHPARNOCHANGE, False, GRANT_ACCESS, ACL_DACL)
If iError <> 0 Then AddRegistryACE = False

iError = oACLTool.Run
If iError <> 0 Then AddRegistryACE = False

Set oACLTool = Nothing

End Function

For those who don't know this tool see the following link:

http://setacl.sourceforge.net

Obviously, the OCX has to be registered before this will do anything!

There may even be some better examples on Helge Kleins website - I haven't checked?
Answered 06/01/2005 by: WiseUser
Fourth Degree Brown Belt

Please log in to comment
0
Something we do at my company is we create a security template inf file and a CA for secedit on Windows 2000 and XP.

Run the MMC snap in and open the Security Templates. Create a Security template that fits your needs for either file folder and\or registry permissions. Then save the template.

Add the inf file to your install by either copying it to the [WindowsFolder]Security\Templates or add it to the iniFile table (InstallShield allows an easy import).

Add entries to the Directory table to the folder [WindowsFolder]Security\Templates and [WindowsFolder]Security\Database.

Add the Custom Action to call the inf using secedit
Type:
3170

Source:
SystemFolder

Target:
secedit /configure /DB "[SecDBFolder]application.sdb" /CFG "[SecTemplates][PKGID].inf" /verbose /log "[WindowsFolder]Log\[PKGID]-secedit.log"

This works out pretty good for me, but I have not used the SetACL.ocx so I do not have a good basis for comparison.
Answered 06/03/2005 by: TomB
Orange Belt

Please log in to comment
0
....or use this script embedded in a custom action with your Security Template.
The template should be added to the package.

This works great since it's fast and totally silent (no DOS boxes flying around)
==================================================

'Secedit script v1.1
'Purpose 1. Hidden execution of the secedit command.
' 2. Secedit will only run once per machine
' 3. Secedit will only run if the user has execution rights

Set ws = CreateObject("Wscript.Shell")
Set fs = CreateObject("Scripting.FilesystemObject")

Dim Regpath, Infname, Regtype, Security, sdbpath, cfgfile, ret

Infname = "Business-Objects-SA-Business-Objects-5.1.inf" 'Variable per MSI-package

Regpath = "HKLM\SOFTWARE\INFSTATE\"
Regtype = "REG_EXPAND_SZ"
Security ="Secedit /configure"
cfgloc = "\security\templates\"
wssys = ws.ExpandEnvironmentStrings("%Systemroot%")
set syspath = fs.GetFolder(wssys)
sdbpad = " /db " & syspath &"\security\Database\applics.sdb"
cfgfile = " /cfg " & syspath & cfgloc
ret = 1

On error resume next
Err.Clear
If Readfile("\security\Database\secedit.sdb") then
If not Readkey() then
if Readfile(cfgloc & infname) then
ret=ws.Run(Security & sdbpad & cfgfile & Infname & " /quiet",0,"true")
if Err.number <> 0 then
ws.Logevent 1, "Secedit execution of " & Infname & " Failed with errorcode: " & _
Err.number & " Description: " & Err.Description
Else
Writekey()
end if
Else
ws.Logevent 1, syspath & cfgloc & infname & _
" couldn't be found on the specified location during execution of secedit."
end if
Err.Clear
End if
End if

Function Readfile(filetochk)
Dim pathfile
pathfile = syspath & filetochk
Readfile = (fs.FileExists(pathfile))
End Function

Function ReadKey()
on error resume next
u="jgv"
u=ws.RegRead(Regpath & Infname)
If u = "Done" then
ReadKey = True
Else
ReadKey = False
Err.Clear
End if
End Function

Function WriteKey()
on error resume next
o=ws.RegWrite(Regpath & Infname, "Done", Regtype)
End Function
Answered 08/05/2005 by: ZhuBaJie
Orange Belt

Please log in to comment
0
Sorry, but I really don't understand what you are talking about.
Permissions in regsitry ?
Someone could explain it briefly ?

Thanks.
Answered 08/05/2005 by: babric
Senior Purple Belt

Please log in to comment
0
The exact same as permission with files but setting permission for regkeys.
Grap your regedit, select a key and then click Permissions in the Edit menu.

Was that briefly? ;)
Answered 08/05/2005 by: AngelD
Red Belt

Please log in to comment
0
Was that briefly? ;)
yes, but I don't have any "Permission" option in the Edit Menu...[:(]
Answered 08/05/2005 by: babric
Senior Purple Belt

Please log in to comment
0
What OS are you using?
Answered 08/05/2005 by: WiseUser
Fourth Degree Brown Belt

Please log in to comment
0
EDIT : Win 2000
http://img296.imageshack.us/my.php?image=registry9kk.gif

I tried under XP Pro, and... I found it :-)

So, guess that there are no permissions in 2000 ?
Answered 08/05/2005 by: babric
Senior Purple Belt

Please log in to comment
0
hmm ehhhh, bummer? ;)
regedit must be corrupted or something, never seen that one before.
Answered 08/05/2005 by: AngelD
Red Belt

Please log in to comment
0
bummer

Sorry but I don't speak english very well, what do you mean by "bummer" ? disappointed ?

Thank you to increase my english skills :-)
Answered 08/05/2005 by: babric
Senior Purple Belt

Please log in to comment
0
lets translate that to "tough luck" [;)]

Your regedit picture looks more like regedit in windows 2000 as that version does not have the Permissions option either.
Answered 08/05/2005 by: AngelD
Red Belt

Please log in to comment
0
Babric,

There are registry permissions in Windows 2000, to view them you have to run regedt32.exe

Rgds

Paul
Answered 08/08/2005 by: plangton
Second Degree Blue Belt

Please log in to comment
0
lets translate that to "tough luck"

Thanks :-)


There are registry permissions in Windows 2000, to view them you have to run regedt32.exe


Thanks too :-)
Answered 08/09/2005 by: babric
Senior Purple Belt

Please log in to comment