Supplement Two of the NT 4.0 Server Resource Kit contains
Regini which will allow you to set registry permissions in
the
HKEY_LOCAL_MACHINE and
HKEY_USERS hives.
Regini reads a script file, which for our purposes, contains a single record in the \Registry\Key \[ACL\] syntax:
\Registry - A constant.
Key:
\Machine = HKEY_LOCAL_MACHINE
\User = HKEY_USERS
\[ACL\] - The ACL is a list of numbers, separated by spaces, within square brackets. The numbers represent the following permissions:
1. Administrator Full 2. Administrator R 3. Administrator RW 4. Administrator RWD 5. Creator Full 6. Creator RW 7. World Full 8. World R 9. World RW 10. World RWD 11. Power Users Full 12. Power Users RW 13. Power Users RWD 14. System OpFull 15. System OpRW 16. System OpRWD 17. System Full 18. System RW 19. System R 20. Administrator RWXExamples:
\Registry\Machine\System\CurrentControlSet\ENUM \[1 8 17\] - will grant Administrator - Full Control, Everyone - Read, and System - Full Control.
\Registry\User\S-1-5-21-2053067395-480382929-641664369-1001\Software\Strange Software Thingy \[1 8 17\] - Same as above.
\Registry\Machine\System\CurrentControlSet\ENUM \[8 17\] - Will remove the Administrator group from the first example.
REG (from the Resource Kit Supplement, not the freeware at tip 170) has a Query option that will allow you to display keys and sub-keys. The JSIRegS.bat file will apply the specified ACL to the Key and its' sub-keys. The usage is:
JSIRegS ScriptFile1 \[ScriptFile2 ScriptFile3 . . . ScriptFileN\]
JSIRegS.bat contains:
@echo off
:check
PushD <Path to Resource Kit>
if exist %TEMP%\JSIRegS.log del /q %TEMP%\JSIRegS.log
if exist %TEMP%\JSIRegS.ini del /q %TEMP%\JSIRegS.ini
if /i "%1"
"" goto syntax
if exist %1 goto parse
:syntax
@echo INI file %1 not found or contains an invalid entry.
goto end
:hku
set reg=%reg:\Registry\User=HKU%
set reg=%reg:\registry\user=HKU%
if /i "%reg%"
"%savekey%" goto Ssyntax
goto key
:parse
for /f "Tokens=1-2* Delims=\[\]" %%i in (%1) do set reg=%%i!&set sec=%%j
set reg=%reg: !=%
set savekey=%reg%
set reg=%reg:\Registry\Machine=HKLM%
set reg=%reg:\registry\machine=HKLM%
if /i "%reg%"
"%savekey%" goto hku
:key
regini %1
set reg="%reg%"
reg query %reg% /s >> %TEMP%\JSIRegS.log
for /f "Tokens=*" %%i in ('findstr /b "\[" %TEMP%\JSIRegS.log') do call :mkini "%%i"
POPD
set reg=
set savekey=
set sec=
set sub=
if exist %TEMP%\JSIRegS.log del /q %TEMP%\JSIRegS.log
SHIFT
if "%1"
"" goto end
goto check
:mkini
set sub=%1
set sub=%sub:\[=%
set sub=%sub:\]=%
set sub=%sub:"=%
@echo %savekey%\%sub% \[%sec%\] > %TEMP%\JSIRegS.ini
regini %TEMP%\JSIRegS.ini
del %TEMP%\JSIRegS.ini
:end
