Updating ACLs in domain

Should you have problems with the MS logon plugin, here's the place to look for help or report issues.

Updating ACLs in domain

Postby ChrisP » 2007-04-26 13:26

Hi,

I've installed VNC-Server on multiple clients in a domain. Now I ahve to adopt the ACLs for the clients and I want to this with a global Datafile which holds the acl for each client. So far so good. I've no problem to extreact the acl for each client and to store it on it but:
my problem is how to get the changed ACL back to the registry? I cannot start MSLogonACL in user-context, so I need a way to this with a startup or a logonscript, right? Or is there any other way to do this?
If anybody has a solution for this, I would be happy for help!

Thx,
Chris
ChrisP
8
8
 
Posts: 15
Joined: 2007-04-20 06:13

Re: Updating ACLs in domain

Postby boqs » 2007-04-26 13:43

This is how I do it:

Install UltraVNC on a single computer in the domain manually. Define users with WinVNC.exe -defaultsettings, and password etc.

Run MSLogonACL.exe /e <filename>

Extract registry settings and ACL, and import it with these cmd's:
regedit /s <regfile>
MSLogonACL.exe" /i /o <filename>


Hope this helps,

Kind regards
Last edited by boqs on 2007-04-26 13:44, edited 1 time in total.
boqs
 
Posts: 6
Joined: 2007-04-26 10:50

Re: Updating ACLs in domain

Postby ChrisP » 2007-04-26 13:48

Thx, this way i know but I have to change it not on all clients the same time, it has to work dynamic , that's why I created a global acl-file where each clients acl is stored. My aim is to automate it so the acl is updated with each reboot of a client.
btw. my main problem is: how to execute MSLogonACL in a user environment ?
Last edited by ChrisP on 2007-04-26 13:49, edited 1 time in total.
ChrisP
8
8
 
Posts: 15
Joined: 2007-04-20 06:13

Re: Updating ACLs in domain

Postby ChrisP » 2007-04-26 14:05

I think I just have solved the problem, but I will do some more testing to verify this.

I just added the users rights on the registry folder where the vnc acl is located and now it suddenly works fine.

Thx,
chris
ChrisP
8
8
 
Posts: 15
Joined: 2007-04-20 06:13

Re: Updating ACLs in domain

Postby Marscha » 2007-05-03 06:56

Why do you want to change the acl all the time?
maybe there's a more elegant way to solve your problem.

BTW, if you open the registry, your users can change the settings, too.
Probably not what you intended.
Marscha
Former moderator
Former moderator
 
Posts: 471
Joined: 2004-05-14 06:48

Re: Updating ACLs in domain

Postby ChrisP » 2007-05-03 07:12

well, I'm talking about more than 1000 stations to administer and if one station breaks down I have to replace it, and sometimes there are special stations where also a few people get view only acess to. :) Of course I have a standard admin-group that has access....
So far so good. My users are not allowed to do anything on their PCs except from working on it.
That's why I needed to do it this way:
But as I mentioned before - its working now. :)
I'm holding a centralized ini-file created out of a database which I read at system-startup, then I extract the section for the client, store it and apply it. The only problem why MSLogonACL was not working at the beginnen was that my user-accounts had no privileges to modify the registry, so I allowed them to modify the VNC branch. :)
ChrisP
8
8
 
Posts: 15
Joined: 2007-04-20 06:13

Re: Updating ACLs in domain

Postby JDaus » 2007-05-13 11:19

i have used, and recomend sysinternals psexec ... it allows you to execute commands over a network to any windows machine (think it needs local admin priviledges)

http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx

this way, you could setup an autoit script (compiled to EXE) to run the commands on \\localhost ... allowing you to have administrator priviledges without your uses getting access to source code ... :)

hope this is helpful

PS. i recomend you take a look at all tools in the sysinternals site ... they were recently ACQUIRED by microsoft ... but dont let that fool you, they have some great stuff ... and its free
http://sysinternals.com
ask a silly question and remain a fool for 5 minutes...
don't ask, and remain a fool for life - JDaus 2003

without imperfections, neither you nor i would exist - Steven Hawkins
__
JD
VNC2Me - OpenSource Free Remote Screen\Desktop Sharing Solutions
SecureTech
JDaus
Friend of UVNC
Friend of UVNC
 
Posts: 516
Joined: 2007-03-17 11:00
Location: Sydney, Australia

Re: Updating ACLs in domain

Postby ChrisP » 2007-05-14 03:49

Thanks for that information. Of course, I know sysinternals. ;) But I've treid to work with psexec and is more complicated than doing this small changes in the windows registry and apply them with a GPO, I think.
ChrisP
8
8
 
Posts: 15
Joined: 2007-04-20 06:13


Return to MS logon plugin

Who is online

Users browsing this forum: No registered users and 1 guest