Hi guys, it's my first post on here and I am new to Kixtart.
I need to change permissions on my W2K and XP machines registries.
My users run a kix script at log on and I would like to use this to make the changes, as I do not want to walk round and fix over 200 machines manually!!
I just want to allow "Everyone" full control to HKLM
#152618 - 2005-12-0112:19 PMRe: Modify Registry Permission with login script
MartMart KiX Supporter
Registered: 2002-03-27
Posts: 4673
Loc: The Netherlands
Quote:
.... I just want to allow "Everyone" full control to HKLM ....
Are you sure? Securety risks just around the corner.
Logon script run under the users privileges that is loggin on. So unless you do some kind of runas this is never going to work. Do you have AD? If so a startup script and regini could do this.
.... I just want to allow "Everyone" full control to HKLM ....
Are you sure? Securety risks just around the corner.
Logon script run under the users privileges that is loggin on. So unless you do some kind of runas this is never going to work. Do you have AD? If so a startup script and regini could do this.
They way things are set up here all users have local admin privileges on their machines.
We do have AD but only limited access to it as we are a small office in a single global domain.
#152620 - 2005-12-0112:33 PMRe: Modify Registry Permission with login script
MartMart KiX Supporter
Registered: 2002-03-27
Posts: 4673
Loc: The Netherlands
Well if all users are local admin then there is no need to set these users to have full access on HKLM cause they already have this cause they are local admin afaik.
[edit] PS: A scheduled task could also do this. Have a look in the UDF forum for the taskscheduler UDF. [/edit]
The thing is for some reason or another the registry permissions are up the wall.
The reason for all this is SMSM 2003 will not install to selected machines, when I have changed the reg permissions to Full Control it works no problem.
Even when I try to connect remotely to a mchines regisrty as a Dom Admin it will not let me set permission on HKLM and gives me errors while trying to open the reg keys.
#152623 - 2005-12-0107:26 PMRe: Modify Registry Permission with login script
NTDOCNTDOC Administrator
Registered: 2000-07-28
Posts: 11631
Loc: CA
100% agree with Mart and Richard.
Fix your Admin issues. If the permissions were totally screwed up by someone that did not know what they were doing (not pointing fingers, but if you move forward with setting ALL USERS FULL CONTROL then you will be placed into that category of being an Incompetent Administrator) they can be repaired by an Admin by running the correct procedures to restore the system rights.
If as you say all your users are local admins then they should be able to do anything to their system. There are some minor things they can't do by default, but even those things can be altered by an Admin to be allowed - these things are stuff that relate to the SYSTEM account and typically are not needed by the Admin account.
#152625 - 2005-12-0110:05 PMRe: Modify Registry Permission with login script
Chris S.Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
Quote: The reason for all this is SMSM 2003 will not install to selected machines, when I have changed the reg permissions to Full Control it works no problem.
Even when I try to connect remotely to a mchines regisrty as a Dom Admin it will not let me set permission on HKLM and gives me errors while trying to open the reg keys.
If you are performing a Client Push installation you should configure the account used for the client push to be a domain user account that has local admin rights on the workstation. Also, File and Print sharing needs to be enabled on the client computer for a Client Push installation.
If you are performing a "logon script-initiated" installation, if the user has administrative rights the install will install the client from the CAP or Management Point directly. If the user does not have administrative rights, a CCR will be created and SMS will attempt to install the client.
Some gotchas may be an improperly configured SLP or CAP/MP, if the PC is not joined to the domain (i.e. workgroup or stand-alone), or other issues. In general, I'd have to agree with the others; fix the issue, but don't open a huge security hole. That is like using a sledgehammer on a finish nail.
Are you sure? Securety risks just around the corner.
