Database Search
TechHome
 |
- 1219 Error with AddDrive
- Account Expires after wntUserAddDat
- Add Domain Group to Local Administrator Remotely
- Add Everyone to Administrators Group
- Add Global Groups in Domain
- Adding Domain to Workstation
- Adding Users and Setting Flags
- Adds User Account to Local Administrator Group
- Allow Inheritable Permissions from Parent
- Builtin Group SID convert to Name
- Bypass NT Ctrl Alt Del to Logon
- Changing Computer Name and Machine Account
- Changing Domain Passwords Sample Code
- Check For Disabled Computer Account
- Check if You Have Local Admin Rights
- Checking an Accounts Password
- Checking for Old Users
- Convert SID to User ID
- Converting SID to Domain - Account Name
- Create Directories and Set NT Access Permissions
- Dealling With Inheritiable Permissions
- Decode Logon Hours
- Determine if Computer is in a Workgroup or Domain
- Determine if PC is Member of Domain
- Determine Inheritance
- Determining if Current User is Authenticated
- Disable Allow Inheritable Permissions
- Domain Trusts Explained
- Error 673 WntPrivAdd
- Error 684 using wntAccess functions
- Find Domain for a Computer
- Foreign Language support of the Win32 Network Extender
- Get a Users Primary Group
- Get Domain User Info
- Get Machine Administrator Userid
- Get SID from Username
- Get the Currently Logged on User in NT
- Get the SID of a Workstation
- Get User Name and wntUserProps
- How to determine if a file is in use on LAN
- How to disable Allow inheritable permissions
- How to Get the Local Adminstrator Account
- How WntServerList Determines a Server
- Inherit NTFS Persmissions
- Interpreting Access Rights
- Is Domain User a Local Admin
- Is User Logged into Domain or Local Account
- Is wntChgPswd Encrypted
- Issue with AccessMod on Remote Machine
- Keeping Track of Last User Login
- List only Windows 2000 Systems
- List Open Connections
- List Terminal Servers
- Listing Directory Shares with Permissions
- Losing Mapped Drive Connections in XP
- Matching SID to ProfileList folder
- NT Auditing
- NT Extender and NT4 No Service Packs
- NT Network Extender and UPN Account Names
- Obtain Share Permissions
- Obtain user sid
- Port Required for WntUserGetDat
- Problems caused by ADMT
- Pull Trusted Domain List
- Reboot user with no shutdown privileges
- Remotely Reboot and wntShutDown
- Remove Everyone Access from D
- Rename User in an AD Domain
- Reset Passwords in Active Directory
- Reset Permissions when Inheritable is Enabled
- Rights to use wntFileUsers
- Runwithlogon and Bad Username
- RunWithLogon Parameter Size
- RunWithLogon versus RunAsUser
- Searching NT Users and Find by Last Name
- Server Description Field
- Setting File Permissions with wntAccessAdd
- Setting NT Policies
- Setting Service Permissions
- Shutdown All NT Servers
- SID values - AD - round tripping and ADMT
- Synchronize password from NT Domain to Novell
- The NT extender functions in Active Directories
- Trouble determining admin rights
- Trusting Domain List
- Unlock Account with wntUserSetDat
- User Login and Log out Information
- User Profile Last Logon
- Win 2000 AutoAdminLogon
- wntAccess... and Specifying Remote Drives
- WntAccessAdd and Change Modify Registry
- wntAccessAdd and Inherited Rights
- WntAccessAdd and Inheritence
- wntAccessAdd and Invalid User - Group
- wntAccessAdd and NTFS
- WntAccessAdd error 546 Invalid file directory name
- wntAccessAdd Inheritable Permissions
- wntAccessAdd Problem on NT 4
- wntAccessAdd Share Problem on Windows 7
- wntAccessAdd versus w95AccessAdd Tips
- wntAccessDel Error 599 Invalid Level
- wntAccessGet and Username Parameter
- WntAccessList DFS share
- wntAccessList Problem
- wntAccessMod Registry Issue
- wntAcctList Returns Incorrect Flag Values
- wntAcctPolSet Error
- wntAddDrive and Unicode
- WntAddDrive launches an Explorer window
- wntAddPrinter after WntRunAsUser
- wntauditadd and inheritance
- wntAuditAdd and MS Patch
- WntCancelCon Error 511 Device in Use
- wntChgPswd 562 Invalid User Name
- wntChgPswd and Error 586
- wntChgPswd and Error 589 Error Changing Password
- wntChgPswd and Error 677
- wntChgPswd behavior different between W2K and NT4
- wntCurrUsers Behavior
- wntDomainSync Error 695
- wntEventLog Problem
- wntGetCon Error 509 Network component is Not Started or Invalid
- wntMemberDel- error 571
- wntMemberGrps returns 0 on DC running AD
- wntMemberGrps wntMemberSet - 562 invalid user name
- wntMemberList Behavior
- wntMemberList Error 522
- wntMemberList Problems
- wntOwnerGet - wntOwnerSet Tips
- wntOwnerSet Error 547
- wntRemoteTime and 530 Access Denied Error
- wntRemoteTime and Daylight Savings Time
- wntRunAsUser -- Security Side Effects
- wntRunAsUser 713 Unable to Set Window Station Access
- wntRunAsUser and Act as Part of OS Clarification
- wntRunAsUser and Called Scripts
- wntRunAsUser and Debugging Problem
- wntRunAsUser and No Permission on Local Machine
- wntRunAsUser Discussion in French
- wntRunAsUser Error 637
- wntRunAsUser Error 638
- wntRunAsUser Function - 1
- wntRunAsUser Function - 2
- wntRunAsUser Function - 3
- wntRunAsUser Function Used Twice in Script
- wntRunAsUser RunWithLogon Security Context
- wntRunAsUser to AutoAdminLogon after Reboot
- wntRunAsUser Windowstation and Desktop Permissions on WinXP
- wntServerList and wntServiceAt
- wntServerType
- wntShutDown Error 694
- wntUser... and Update User Accounts
- wntUserAdd Adding a Domain User
- wntUserAdd Bug
- WntUserAddDat and Max_storage
- wntUserGetDat 524 Unable to Access Specified Server
- wntUserGetDat and Logon_hours Flag
- wntUserSetDat and Logon Hours
- wNTUserXXXDat Function and Flags
- wxxUserGetDat and Last Logon Date
Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
Issue with AccessMod on Remote Machine
Question:
I am running a process to correct permissions in the registry in a 2K/XP environment. When I try to remotely update the access flags on a registry key, I am always told I have an invalid registry key handle. But the key works in other, similar remote statements.Here is my code at its simplest (for some "RemoteMachine"):
RemoteRegistry = RegConnect( RemoteMachine, @REGMACHINE ) CriticalKey = RegOpenKey( RemoteRegistry, "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx" ) OldSetting = wntSecurityGet( RemoteMachine, CriticalKey, 400, 1, 0 ) SetOkay = wntAccessMod( RemoteMachine, CriticalKey, 400, 2, 2 )The remote references work in the SecurityGet function but not in the AccessMod function. Is there another way of manipulating the inheritance flag on registry permissions?
Answer:
Nothing immediately leaps out at me other than that there's one tiny little bit of code that can be used to obtain the name of a registry key from a registry key handle, and it won't work with remote registry keys. If that bit of code somehow gets invoked, the symptoms you are seeing might occur.Another possibility is that you have the permissions necessary to read the security settings but lack the permissions necessary to alter the inheritance flag. It may result in a failure to open a registry handle internally for use in modifying the security settings, and that might be where the error comes from.
What's the version of Windows the code runs on ?
What's the version of Windows on the remote system where the key is located?
What's in the WWWBATCH.INI file after the failure occurs?
What do the permissions look like on the remote registry key when viewed in REGEDIT on that remote system?
What user are you logged on as?
Are both systems in the same domain together?
User Reply:
Running machine is Windows 2000.Remote machine is Windows 2000.
WWWBatch.INI contains:
[Error Reporting]
3052=param2
[WWWNT34I]
LastError=0 (DoRegACLInheritanceModify() {remote server cannot be specified})
[WBDDC34I]
LastError=2 (RegOpenKey)
Currently the permissions are all being inherited from the parent key and are the default Windows permissions (admins, power users, and SYSTEM with Full Control, OWNER with subkey FullControl, and users with Read).
I am logged on as a domain admin (and can perform the change manually via regedt32, I checked that).
The systems are in the same domain.
Also, I tried playing around with how I specified the remote machine name (with and without the "\\" in the front). After reading the WINBATCH.INI file, I also tried specifying no name (as if the key handle was referenced from my machine) but with no luck.
Thanks for your assistance.
Answer:
OK, it looks like there's an error of omission associated with the wntAccessMod() mod docs regarding the modification of the ACL inheritance flags.
In a nutshell.... You can't get there from here. Remote registry keys cannot be manipulated in this manner. I refreshed myself by looking at the source code that generates the exact error message you encountered in the WWWBATCH.INI file, and there's a valid reason for it. In order to properly calculate what the permissions need to be, it is necessary to find the parent of the registry key passed in to wntAccessMod(). Since a registry handle can be passed in via handle, that code I mentioned that converts registry handles back into registry keys gets invoked and it won't work with remote registry keys.
You're going to have to modify the security settings for inheritance via a script running locally on that remote server; you can't make the change through remote access to the registry.
The same limitation applies if you try to modify the inheritance settings for the root of a remote file share, in that the parent folder of the remote share may not be accessible via the network.
User Reply:
Well, I can't run this locally. I am dealing with a few hundred thousand workstations. I need to be able to remotely run this. Is there any way to roll south with the setting by specifying the key and those things? Would it work if I just said kill the settings instead of copy them (copying just makes it faster, I think, but working slow is better than failing fast)?Answer:
I can't think of anything right off the top of my head that will solve the problem immediately. If there's a fix for it, it's going to take re-writing part of wntAccessMod(). The modification would make it necessary to allow for a parent registry key handle to be supplied, and then the subkey to have its ACL inheritance flags modified would have to be specified as a text value.Right now, doing it only with a single registry key handle, it's impossible to make it work for remote systems.
Let me hack around at the code and see what I can whip up. I'll have to add support for an optional parameter after the "flags" parameter, and that optional parameter will be the subkey name that is to be modified, with the registry key handle in the "resource-name" parameter being the parent of that subkey.
Article ID: W17062
File Created: 2007:07:03:14:28:02
Last Updated: 2007:07:03:14:28:02