Software Deployment

I agree with you on the "Regini" subject - I'm not fond of this tool either.

SetACL is a very good tool which is relatively easy to use - I'd consider making "SetACL.ocx" part of any desktop SOE build. Alternatively, I might make a "SetACL.msm" merge-module and include it in any packages where registry permissions need to be modified - then I could use a VBScript CA.

As a VBScript fan, I guess my favorite method might be WMI - although the script isn't the easiest to write.

Could you post an example of the VBScript that would call SetACL.ocx to set permissions? I need to brush up on VB CA's and this is something I could definitely use.

Hi VikingLoki.

Here's a script from my archives - I don' remember if I wrote it myself or if just adapted someone else's code? You may have to play around with it a bit to get it how you want it. The indentation will have to be restored, because it's always lost when I post a script.


Dim oACLTool

Const SE_FILE_OBJECT = 1
Const SE_REGISTRY_KEY = 4

Const ACTN_ADDACE = 1

Const INHPARNOCHANGE = 0

Const GRANT_ACCESS = 1

Const ACL_DACL = 1

'examples

Msgbox AddFileorFolderACE("C:\Test.txt", "user", "full")
Msgbox AddFileorFolderACE("C:\Test", "User", "change")
Msgbox AddRegistryACE("hklm\software\AAAAAAAAAAAAAA\", "user", "full")


Function AddFileorFolderACE(sFilePath, sUser, sPerm)
On Error Resume Next

Dim iError

AddFileorFolderACE = True

Set oACLTool = CreateObject("SETACL.SetACLCtrl.1")

iError = oACLTool.SetObject(sFilePath, SE_FILE_OBJECT)
If iError <> 0 Then AddFileorFolderACE = False

iError = oACLTool.SetAction(ACTN_ADDACE)
If iError <> 0 Then AddFileorFolderACE = False

iError = oACLTool.AddACE(sUser, False, sPerm, INHPARNOCHANGE, False, GRANT_ACCESS, ACL_DACL)
If iError <> 0 Then AddFileorFolderACE = False

iError = oACLTool.Run
If iError <> 0 Then AddFileorFolderACE = False

Set oACLTool = Nothing

End Function


Function AddRegistryACE(sRegKey, sUser, sPerm)
On Error Resume Next

Dim iError

AddRegistryACE = True

Set oACLTool = CreateObject("SETACL.SetACLCtrl.1")

iError = oACLTool.SetObject(sRegKey, SE_REGISTRY_KEY)
If iError <> 0 Then AddRegistryACE = False

iError = oACLTool.SetAction(ACTN_ADDACE)
If iError <> 0 Then AddRegistryACE = False

iError = oACLTool.AddACE(sUser, False, sPerm, INHPARNOCHANGE, False, GRANT_ACCESS, ACL_DACL)
If iError <> 0 Then AddRegistryACE = False

iError = oACLTool.Run
If iError <> 0 Then AddRegistryACE = False

Set oACLTool = Nothing

End Function

For those who don't know this tool see the following link:

http://setacl.sourceforge.net

Obviously, the OCX has to be registered before this will do anything!

There may even be some better examples on Helge Kleins website - I haven't checked?

Something we do at my company is we create a security template inf file and a CA for secedit on Windows 2000 and XP.

Run the MMC snap in and open the Security Templates. Create a Security template that fits your needs for either file folder and\or registry permissions. Then save the template.

Add the inf file to your install by either copying it to the [WindowsFolder]Security\Templates or add it to the iniFile table (InstallShield allows an easy import).

Add entries to the Directory table to the folder [WindowsFolder]Security\Templates and [WindowsFolder]Security\Database.

Add the Custom Action to call the inf using secedit
Type:
3170

Source:
SystemFolder

Target:
secedit /configure /DB "[SecDBFolder]application.sdb" /CFG "[SecTemplates][PKGID].inf" /verbose /log "[WindowsFolder]Log\[PKGID]-secedit.log"

This works out pretty good for me, but I have not used the SetACL.ocx so I do not have a good basis for comparison.

....or use this script embedded in a custom action with your Security Template.
The template should be added to the package.

This works great since it's fast and totally silent (no DOS boxes flying around)
==================================================

'Secedit script v1.1
'Purpose 1. Hidden execution of the secedit command.
' 2. Secedit will only run once per machine
' 3. Secedit will only run if the user has execution rights

Set ws = CreateObject("Wscript.Shell")
Set fs = CreateObject("Scripting.FilesystemObject")

Dim Regpath, Infname, Regtype, Security, sdbpath, cfgfile, ret

Infname = "Business-Objects-SA-Business-Objects-5.1.inf" 'Variable per MSI-package

Regpath = "HKLM\SOFTWARE\INFSTATE\"
Regtype = "REG_EXPAND_SZ"
Security ="Secedit /configure"
cfgloc = "\security\templates\"
wssys = ws.ExpandEnvironmentStrings("%Systemroot%")
set syspath = fs.GetFolder(wssys)
sdbpad = " /db " & syspath &"\security\Database\applics.sdb"
cfgfile = " /cfg " & syspath & cfgloc
ret = 1

On error resume next
Err.Clear
If Readfile("\security\Database\secedit.sdb") then
If not Readkey() then
if Readfile(cfgloc & infname) then
ret=ws.Run(Security & sdbpad & cfgfile & Infname & " /quiet",0,"true")
if Err.number <> 0 then
ws.Logevent 1, "Secedit execution of " & Infname & " Failed with errorcode: " & _
Err.number & " Description: " & Err.Description
Else
Writekey()
end if
Else
ws.Logevent 1, syspath & cfgloc & infname & _
" couldn't be found on the specified location during execution of secedit."
end if
Err.Clear
End if
End if

Function Readfile(filetochk)
Dim pathfile
pathfile = syspath & filetochk
Readfile = (fs.FileExists(pathfile))
End Function

Function ReadKey()
on error resume next
u="jgv"
u=ws.RegRead(Regpath & Infname)
If u = "Done" then
ReadKey = True
Else
ReadKey = False
Err.Clear
End if
End Function

Function WriteKey()
on error resume next
o=ws.RegWrite(Regpath & Infname, "Done", Regtype)
End Function

Sorry, but I really don't understand what you are talking about.
Permissions in regsitry ?
Someone could explain it briefly ?

Thanks.

The exact same as permission with files but setting permission for regkeys.
Grap your regedit, select a key and then click Permissions in the Edit menu.

Was that briefly? ;)

Was that briefly? ;)
yes, but I don't have any "Permission" option in the Edit Menu...[:(]

What OS are you using?

EDIT : Win 2000
http://img296.imageshack.us/my.php?image=registry9kk.gif

I tried under XP Pro, and... I found it :-)

So, guess that there are no permissions in 2000 ?

hmm ehhhh, bummer? ;)
regedit must be corrupted or something, never seen that one before.

bummer

Sorry but I don't speak english very well, what do you mean by "bummer" ? disappointed ?

Thank you to increase my english skills :-)

lets translate that to "tough luck" [;)]

Your regedit picture looks more like regedit in windows 2000 as that version does not have the Permissions option either.

Babric,

There are registry permissions in Windows 2000, to view them you have to run regedt32.exe

Rgds

Paul

lets translate that to "tough luck"

Thanks :-)


There are registry permissions in Windows 2000, to view them you have to run regedt32.exe

Thanks too :-)