Updating ACLs in domain

[ChrisP]

Hi,

I've installed VNC-Server on multiple clients in a domain. Now I ahve to adopt the ACLs for the clients and I want to this with a global Datafile which holds the acl for each client. So far so good. I've no problem to extreact the acl for each client and to store it on it but:
my problem is how to get the changed ACL back to the registry? I cannot start MSLogonACL in user-context, so I need a way to this with a startup or a logonscript, right? Or is there any other way to do this?
If anybody has a solution for this, I would be happy for help!

Thx,
Chris

[boqs]

This is how I do it:

Install UltraVNC on a single computer in the domain manually. Define users with WinVNC.exe -defaultsettings, and password etc.

Run MSLogonACL.exe /e <filename>

Extract registry settings and ACL, and import it with these cmd's:
regedit /s <regfile>
MSLogonACL.exe" /i /o <filename>


Hope this helps,

Kind regards

[ChrisP]

Thx, this way i know but I have to change it not on all clients the same time, it has to work dynamic , that's why I created a global acl-file where each clients acl is stored. My aim is to automate it so the acl is updated with each reboot of a client.
btw. my main problem is: how to execute MSLogonACL in a user environment ?

[ChrisP]

I think I just have solved the problem, but I will do some more testing to verify this.

I just added the users rights on the registry folder where the vnc acl is located and now it suddenly works fine.

Thx,
chris

[Marscha]

Why do you want to change the acl all the time?
maybe there's a more elegant way to solve your problem.

BTW, if you open the registry, your users can change the settings, too.
Probably not what you intended.

[ChrisP]

well, I'm talking about more than 1000 stations to administer and if one station breaks down I have to replace it, and sometimes there are special stations where also a few people get view only acess to. Of course I have a standard admin-group that has access....
So far so good. My users are not allowed to do anything on their PCs except from working on it.
That's why I needed to do it this way:
But as I mentioned before - its working now.
I'm holding a centralized ini-file created out of a database which I read at system-startup, then I extract the section for the client, store it and apply it. The only problem why MSLogonACL was not working at the beginnen was that my user-accounts had no privileges to modify the registry, so I allowed them to modify the VNC branch.

[JDaus]

i have used, and recomend sysinternals psexec ... it allows you to execute commands over a network to any windows machine (think it needs local admin priviledges)

http://www.microsoft.com/technet/sysint ... sexec.mspx

this way, you could setup an autoit script (compiled to EXE) to run the commands on \\localhost ... allowing you to have administrator priviledges without your uses getting access to source code ...

hope this is helpful

PS. i recomend you take a look at all tools in the sysinternals site ... they were recently ACQUIRED by microsoft ... but dont let that fool you, they have some great stuff ... and its free
http://sysinternals.com

[ChrisP]

Thanks for that information. Of course, I know sysinternals. But I've treid to work with psexec and is more complicated than doing this small changes in the windows registry and apply them with a GPO, I think.