Thursday, September 30, 2010

Software Packaging Tip: Adjusting Permissions

If you work within an environment where “users” are actually “users” and not Administrators of their computers, you will likely run into situations where some applications won’t function properly because the user doesn’t have permissions to modify the contents of certain folders or registry keys and values.

There are two basic tools for handling this and they’re both free and very easy to use, whether you prefer Wise, InstallShield, or good old fashioned scripting:

CACLS.exe (for files and folders)

REGINI.exe (for registry keys)

I won’t bother going into a lot of detail on these, because there’s tons of info already on the web for both of them, but they work and they work well.

In Wise, for example, you can edit your package to add a “Custom Action” to invoke either command.  CACLS is much easier to use because you just need to specify the file or folder you wish to modify, and then specify who gets what permissions to it. 

Example:

CACLS <path> <options> <user/group>:<permission>

CACLS “c:\acme” /T /E /C /G Users:C

The example above grants members of the local group “Users” the “Change” permission to C:\ACME and all sub-folders and files beneath it.  Keep in mind that if you need to specify a group name that has spaces in it, you need to wrap the name in double-quote (as shown below):

CACLS “c:\acme” /T /E /C /G “Domain Users”:C

There’s a good reference for this command at http://ss64.com/nt/cacls.html

REGINI on the other hand expects a file to be specified as the input to dictate which registry keys get what permissions.  Thankfully, with REGINI in particular, you can wrap all of it inside a script that writes its own input file.  With Wise you can then use the “Execute VBScript from Embedded” and wrap the .VBS file into the package itself.

Example:

regFile = “c:\windows\temp\reg.txt”
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set f = fso.OpenTextFile(regFile, 2, True)
f.WriteLine “HKEY_LOCAL_MACHINE\Software\ACME [1 5 7 11 17]”
f.Close
Set oShell = CreateObject("WScript.Shell")
oShell.Run "regini " & regFile, 8, true
f.Delete


This little bit of script creates the input file “reg.txt” in the TEMP folder beneath C:\WINDOWS, then uses the shell object to run REGINI.exe with the file input.  When it’s finished, it deletes the input file.  I adapted it from http://support.microsoft.com/?kbid=237607  so I can’t claim original authorship.  That other version is nice because they use the GetTempName method to generate a random filename instead of a static name, but that’s just fascinating for people with no life, like myself.



You can also do this very simply with a .BAT or .CMD script…



@echo off
echo HKEY_LOCAL_MACHINE\Software\ACME [1 5 7 11 17] >%temp%\reg.txt
regini %temp%\reg.txt


The point is: you have options. And “free” options are always nice.



My final parting advice: NEVER give user administrative rights to their computers.  It’s an admission of failure.  Find out what specific things need to be opened up and do it selectively, and carefully.  If you don’t have time to do that, do you have time to mop up the mess they create from installing a dozen shareware applications, two dozen worms, trojans and viruses (or virii?)?  Saving time now may end up costing you five times that later.  When users bitch and moan (that’s what they do best, right?) push back.  Demand that they identify WHY they absolutely need admin rights.  Find out what things they need to modify, and WHY and then work from there.  Don’t just give them the keys and let them go.  That’s insane.  This method works fine. I do it all the time and so do hundreds of other IT folks.

No comments: