[THIN] Re: Changing Registry permissions

  • From: Rick Mack <ulrich.mack@xxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Mon, 27 Apr 2009 07:55:01 +0800

Hi Doug,

Scripting registry changes really isn't that smart considering that group
policy allows you to change the ACL on both files/folders and registry keys.
By changing it at the OU level it's consistent and in the event of a new
server being introduced to the OU or a change on an exiting server the ACLs
will always get reappliewd at reboot.

Plus if you're using the GPMC (group policy management console, free
download from Microsoft,) you have built in documentationm of all the
registry settings.

I wouldn't suggest using any other methodology besides group policies if you
want to get consistent, absolutely reliable results. The exception to this
rule is applying user rights because using via group policy replaces local
rights with sometimes disastrous results.

Edit or create a group policy for the terminal services server OUs, then run
gpedit against the group policy (this can't be applied by a local policy,
well actually it can but not using gpedit). Got to computer configuration >
Windows Settings > Security Settings >  Registry > Add key. Browse to the
key where you want to change the ACL, define the user access and save.
Repeat for the other key ACLs you want to manage.

The next time you reboot the server it'll all be done.



Ulrich Mack
Quest Software
Provision Networks Division

On Thu, Apr 23, 2009 at 1:17 AM, Doug Rooney <Doug@xxxxxxxxxxxxxxxxxxxx>wrote:

>  Neil,
> Unfortunately I didn’t, I inherited this, I came from a Unix world and I am
> still learning the windows stuff, we had a consultant set everything up,
> then he dropped off the face of the earth. I have learned a lot about AD and
> policies, but I am quite the novice compared to you all, which is why I ask
> for help. I prefer to look dumb and ask obvious questions, that just ‘try
> it’ and screw something up. One thing out friendly consultant did was create
> a group called “Many Rights” and then made everyone a member of it, well,
> “Many Rights” was just another name for Administrator, so everyone could do
> anything, what a flipping mess that was, he did it because there was a
> permissions issue and instead of figuring it out and fixing it, he just made
> “Many Rights”, I finally figured out the issue and fixed it, and removed
> “Many Rights”. So I know I have to change permissions on some Registry Keys,
> but have only a slight idea how, and I know I have to have permission as
> Administrator, but have no idea how to fix that. So any and all help is
> greatly appreciated.
> Thank You
> ~Doug Rooney
> Sonoma Tilemakers
> IT Manager
> 7750 Bell Rd.
> Windsor Ca, 95492
> (707) 837-8177 X11
> (707) 837-9472 FAX
> it@xxxxxxxxxxxxxxxxxxxx

Other related posts: