Software Deployment

If you can figure out how to install it via Batch file then you are set. I believe you can use a command line based batch file to call secedit as seen below:

secedit /import

Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.

Syntax
secedit /import /db FileName.sdb /cfg FileName.inf [/overwrite] [/areas Area1 Area2 ...] [/log FileName] [/quiet]

Parameters
/db FileName.sdb
Specifies the database that the security template settings will be imported into.
/CFG FileName
Specifies a security template to import into the database. Security templates are created using the Security Templates snap-in.
/overwrite FileName
Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.
/areas Area1 Area2 ...
Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space. Area name Description
SECURITYPOLICY Includes account policies, audit policies, event log settings, and and security options.
GROUP_MGMT Includes Restricted Group settings
USER_RIGHTS Includes User Rights Assignment
REGKEYS Includes Registry Permissions
FILESTORE Includes File System permissions
SERVICES Includes System Service settings

/log FileName
Specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.
/quiet
Specifies that the configuration process should take place without prompting the user.
Examples
Following is an example of how you can use this command:

secedit /import /db hisecws.sdb /cfg hisecws.inf /overwrite

Once you can get the batch file working then you need to add some information to your unattend.sif file. Here are the following areas to modify:

[GuiUnattended]
AdminPassword=xxxxxxx (should be your local admin password)
Autologon=Yes
AutoLogonCount=1

What these settings do is 1. sets admin password on machine 2. specifies that it will automatically logon as admin without prompting for credentials 3. specifies that the AutoLogon will only happen once.

Now you must also add the following information.

[GuiRunOnce]
{Path to batch file}

To get the batch file onto the local machine you must create add the file into the folders where you keep the drivers usually \$OEM$\$1\. Anything in this folder will be copied to the root of the c:\ so you will want to burry it at least one more folder deep. Then in the GuiRunOnce section you can call it as c:\{folder}\secedit.bat. At this point the file will exist locally so there should be no problem calling it. You will want to make sure that in your batch file you specify shutdown.exe -r to reboot the machine. If not then you will have a machine sitting logged in as administrator. Shutdown is in the res kit for win2k. I created a similar setup to manually change a registry setting upon reboot. Here is what my batch file looked like:

regedit.exe /s c:\drv\reg\ddhcpms.reg

c:\drv\reg\shutdown.exe /r

del /Q c:\drv\reg\*.*

I ran shutdown and it has a delay by default, so it leaves enough time to run the del command to clean up after. Good luck.

Wonderfull !
thank you very much !

exactly what i need

how can i modifie/create 'compatws.inf' or another policies ?

Once you have the machine configured the way you want then you can use the secedit command again and export the inf, See below:

Allows you to export the security settings stored in the database.

Syntax
secedit /export [/DB FileName] [/mergedpolicy] [/CFG FileName] [/areas Area1 Area2 ...] [/log FileName] [/quiet]

Parameters
/db FileName
Specifies the database used to configure security.
/mergedpolicy
Merges and exports domain and local policy security settings.
/CFG FileName
Specifies the template the settings will be exported to.
/areas Area1 Area2 ...
Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space. Area name Description
SECURITYPOLICY Includes account policies, audit policies, event log settings, and and security options.
GROUP_MGMT Includes Restricted Group settings
USER_RIGHTS Includes User Rights Assignment
REGKEYS Includes Registry Permissions
FILESTORE Includes File System permissions
SERVICES Includes System Service settings

/log FileName
Specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.
/quiet
Specifies that the configuration process should take place without prompting the user.
Examples
Following is an example of how you can use this command:

secedit /export /db hisecws.inf /log hisecws.log

Good Luck.

thank you cdupuis !

Greb

Did everything work as specified? If not, let me know so I can edit the post, this is very usefull info and might help more people in the future.

Nice one cdupuis.....I hope Bob can move this to the tips section so everyone can get to it easily.

i use exactly this line in a batch file :

%SystemRoot%\system32\secedit.exe /configure /db %systemroot%\security\Database\compatws.sdb /cfg %Systemdrive%\temp\compatws.inf

with the file 'compatws.inf' in my c:\windows\temp\ directory

it result a new file : %systemroot%\security\database\compatws.sdb

but this file don't seems to change anything in the local policies.
i'll make more tests ...

i wish come back with more informations

Greb

Jim,

If I put it in "Tips" cdupuis wouldn't get proper credit! Care to paste it in there cdupuis? I guess I need to take another look at the tips area to see if I can make this easier.

Thanks,
Bob

secedit /import /db FileName.sdb /cfg FileName.inf

Greb

Try the above quoted Line instead.

Done.

I am packaging MSIs but I need to set permissions for users in the hive HKLM\Software\Classes and I've come to the conclusion that the only solution to get this done is using Secedit.

Does anyone know how I can go about this? I've read so many solutions that I am as confused as when I started.

Can I use any security template?