Windows 2000 Could write system Registry

sv800

Active Member
Client Windows 2000, after installing Client,
trying to logon I receive a message
Could not write system registry.

Lunch regedt32 and I granted permissions in
Class Root, JDEDwards application.
Message still appears.

The only way is granting Local Permission as Administrator
to the user.
Some cases we do not want to that.
Just we want treat those users as Windows users not administrators.

See KG doc: Title: How To Set Security in the Registry for Windows 2000 Clients
Abstract: Instead of giving everyone full control to the HKEY_CLASSES_ROOT key, some clients prefer to open up files specific to OneWorld.

NT 4.0, SQLServer 7, B7332, SP11, CLIENT: Windows 2000


The Premier Group
 

Larry_Jones

Legendary Poster
Sergio,

did you ever resolve this issue of OneWorld XE on Win 2000 requiring local administrator privileges? We're moving to Win 2000 and this has become an issue for us also. As you noted the procedure documented by JDE in the document "How To Set Security in the registry for Windows 2000 Clients" does not work. In fact the document is a lie since the regedt32 screen shot shown is from the NT 4.0 version rather than the Win2K version of regedt32.

Thanks in Advance,

Larry Jones
ljones@wagstaff.com
OneWorld XE, SP 15.1
HPUX 11, Oracle SE 8.1.6
Mfg, Distribution, Financials
 

boaterdan

Active Member
I'll just chime in here that the installation materials say it is a requirement on Win2k for OW users to be power users, but in fact it seems they need to be administrators to do installs.

And I agree that isn't really acceptable.


---------------------------------
OneWorld Xe SP15
Clustered Windows 2000 + SQL 2000
 

jeremey_garcia

VIP Member
W/ our users we just gave them power users rights, it took care of that
problem.

----- Original Message -----
From: "Larry_Jones" <ljones@wagstaff.com>
To: <jdelistml@jdelist.com>
Sent: Tuesday, July 17, 2001 1:34 PM
Subject: Re: Windows 2000 Could write system Registry


administrator privileges? We're moving to Win 2000 and this has become an
issue for us also. As you noted the procedure documented by JDE in the
document "How To Set Security in the registry for Windows 2000 Clients" does
not work. In fact the document is a lie since the regedt32 screen shot
shown is from the NT 4.0 version rather than the Win2K version of regedt32.
http://198.144.193.139/cgi-bin/wwwthreads/showflat.pl?Cat=&Board=OW&Number=1
6484



Jeremey Garcia
Xe SP14 ES - AS/400 CO - AS/400 Deploy - NT Citrix
 

jeremey_garcia

VIP Member
Some more of my pennies worth?

Who says the users do the install? You can have the person w/ admin rights
do the install, or are you saying that package updates, and esu's need admin
rights for them?
----- Original Message -----
From: "boaterdan" <boaterdan@yahoo.com>
To: <jdelistml@jdelist.com>
Sent: Tuesday, July 17, 2001 3:35 PM
Subject: Re: Windows 2000 Could write system Registry


requirement on Win2k for OW users to be power users, but in fact it seems
they need to be administrators to do installs.
http://198.144.193.139/cgi-bin/wwwthreads/showflat.pl?Cat=&Board=OW&Number=1
6503



Jeremey Garcia
Xe SP14 ES - AS/400 CO - AS/400 Deploy - NT Citrix
 
I recall seeing a white paper on the JDE knowledge garden which
talks about doing client installs without administrator access. I'll see if
I can find it again.
 

Larry_Jones

Legendary Poster
The problem is not doing installs or even accepting update packages. When a regular user (not an administrator, not a power user - which is almost an administrator) tries to run oneworld they receive a dialog box with the error message "Failed to update the system registry. Please try using REGEDIT.". The cause is a very strange practice in OneWorld of unregistering and re-registering an ocx (jdeocx.ocx) each time OneWorld is started/run. Unregistering and/or registering COM components is generally only done when an install is run (or in JDE's case also when an update is run - which is a form of install). Why they need to do this each time the application is started is a mystery.

The problem may be bypassed by:

1) Making the user(s) a local administrator
2) Adding "Users" to the the local Power Users Group
3) Changing the security permissions of the entire HKEY_CLASSES_ROOT hive to give everyone full access to that tree.

The first 2 methods are not acceptable for our security requirements. We have resorted for now to using method 3 but I am quite uncomfortable with it. There is a SAR on this issue but it has a status of "Returned for Clarification".

Other windows software generally does not have this problem just trying to run the s/w. Other s/w does not attempt to unregister and re-register controls (jdeocx.ocx) each time they are run. GRRRR ...

Thx for listening.


Larry Jones
ljones@wagstaff.com
OneWorld XE, SP 15.1
HPUX 11, Oracle SE 8.1.6
Mfg, Distribution, Financials
 

mciruzzi

Member
Hi,
My experience is you do not need to give everyone the 'full control' privilege. 'set value' is enough.

Miguel
XE SP_15 Update 1 Oracle 8.1.7 HP-UX 11i Win200 Deployment. Experience in other realeases and platforms
 

Leroy

Active Member
Larry,

The user can get away with having PowerUser rights rather than Administrator
rights. I have been adding a domain user group as a PowerUser to all our
PC's and then I add the user to the domain user group. That way anybody in
the group can use any PC to access OneWorld. Its not the best solution but
it gets the user out of my face.

I have a document regarding the specific registery settings but haven't
tried it yet. Once I give it a go I'll post an item on the results.

Regards

Lee
Chief Technology Officer
Blackmores Ltd

(OneWorld Xe, AS400, Windows 2000, Citrix)
 

boaterdan

Active Member
Re: RE: Windows 2000 Could write system Registry

When I try to accept an update package with a non-administrator user, I get the following message:

"Setup has determined that you are not an administrator on this machine and it is not recommended that you continue setup. Do you wish to continue?"

in a window titled: "Client Workstation Setup"

Now, what did I do different??

---------------------------------
OneWorld Xe SP15
Clustered Windows 2000 + SQL 2000
 

Larry_Jones

Legendary Poster
Re: RE: Windows 2000 Could write system Registry

Unfortunately this message about being a non-admin appears to be a fact of life for us until JDE gets their act together. Everything appears to be OK if you acknowledge the message and continue (Assuming you have assigned the registry permissions discussed elsewhere on the forum).

What bothers me is that I'm sure this message is there for a reason. We should be OK by doing our "Partial Administrator" tricks, but I worry. Some of the tricks you have to perform when installing an application with many dependencies are not at all obvious. Win 2K tightened down what a setup program can modify/replace (regardless if you're an admin or not). Windows XP is rewriting the book on how applications are setup and run.

Hopefully JDE's development team has been pro-actively working with Windows XP and has been re-architecting the update and run process to resolve these issues in future releases.

As an aside, how many of you are familiar with the new Microsoft licensing requirements? Looking forward to XP? :eek:)

Larry Jones
ljones@wagstaff.com
OneWorld XE, SP 15.1
HPUX 11, Oracle SE 8.1.6
Mfg, Distribution, Financials
 

boaterdan

Active Member
Re: RE: Windows 2000 Could write system Registry

Let's just say I've got 1500 desktops across 6 locations. You're saying I would have to visit each one and assign this registry edit right? PLEEEEEAAAAAAASE!

Microsoft tried to provide a way out of this kind of problem with the power user. JDE says you have to be a power user to run their software on Win2k.

Now JDE says you have to have this in addition?

-----
As far as new MS licensing, like the rest of the IT world I think it is pretty horrible. However, NT/2000 continues to become a better and better OS, making it more and more prominent in price/performance comparisons, so the juggernaut will roll on.

---------------------------------
OneWorld Xe SP15
Clustered Windows 2000 + SQL 2000
 

Leroy

Active Member
RE: RE: Windows 2000 Could write system Registry

A OneWorld Client Install wants to update your system registeries. You
either have to have rights to the specific registeries or you must have at
least PowerUser rights to the PC.

Regards

Lee Richards
Chief Technology Officer
Blackmores Ltd
(OneWorld Xe, AS400, Citrix Windows 2000)
 

boaterdan

Active Member
Re: RE: RE: Windows 2000 Could write system Registry

There seems to be some confusion here because different people seem to be seeing different things. I'm telling you that in my case being a power user doesn't seem to be enough. I am trying to install an update package and OneWorld is telling me explicitly that it wants me to be an ADMINISTRATOR.

---------------------------------
OneWorld Xe SP15
Clustered Windows 2000 + SQL 2000
 

Larry_Jones

Legendary Poster
Re: RE: RE: Windows 2000 Could write system Registry

Hey Dan(?),

My re-raising of this thread had to do with issues when attempting to just run OneWorld. In order to accept Update packages, users also need full control over \HKEY_LOCAL_MACHINE\SOFTWARE\JDEdwards (and all of its sub-keys).

FYI there is a NT/2K admin utility called REGINI.EXE that can help to automate setting all these registry permissions. The utility comes with the Windows Resource Kit. Alternatively you can also write a C or VB program that reaches across the network and changes registry permissions. However since you only need to do this once (when OW is installed on the machine) we incorporated the REGINI.exe as part of an install command file as follows:

OWSetup.bat
------------------------------------------------------------------
REM **** OneWorld XE Client Installation - Silent Mode ****
REM
REM Explanation of command line parameters:
REM -V : Verbose mode (shows progress on screen display)
REM -P PD7333FA : Package name
REM -D D:\B7 : Directory to install into
REM -t Compact : Only installs production objects (no .c or .h files)
REM -r : Removes existing installation before installing new package
REM
del /F /S /Q c:\B7
del /F /S /Q d:\B7
rmdir /S /Q c:\B7
rmdir /S /Q d:\B7
"\\DEPSERVER\B7333\OneWorld Client Install\setup.exe" -V -P PD7333FA -D C:\B7 -t Compact
del "c:\winnt\profiles\all users\desktop\JDEdwards Solution Explorer.lnk"
REM set Registry permissions
REGINI.exe OWSetRegSec.txt
REM below causes the install log to be displayed on the workstation
c:\jdeinst.html
REM run OneWorld to ensure all is OK
c:\b7\system\bin32\oexplore.exe
exit
-------------------------------------------------------------------
Contents of OWSetRegSec.txt file:
---------------------------------
\Registry\Machine\Software\JDEdwards [1 7]
\Registry\Machine\Software\JDEdwards\JDEdwards OneWorld Client Listener [1 7]
\Registry\Machine\Software\JDEdwards\OneWorld [1 7]
\Registry\Machine\Software\JDEdwards\OneWorld\Install.ini [1 7]
\Registry\Machine\Software\JDEdwards\OneWorld\Install.ini\B7333 [1 7]
\Registry\Machine\Software\JDEdwards\OneWorld\Install.ini\B7333\PD7333 [1 7]
\Registry\Machine\Software\JDEdwards\OneWorld\Install.ini\B7333\PY7333 [1 7]
\Registry\Machine\Software\JDEdwards\OneWorld\Install.ini\B7333\Shortcuts [1 7]
\Registry\Machine\Software\JDEdwards\OneWorld\Install.ini\B7333\Shortcuts\Desktop [1 7]
\Registry\Machine\Software\JDEdwards\OneWorld\Install.ini\B7333\Shortcuts\Start [1 7]
\Registry\Machine\Software\Classes [1 7]
---------------------------------------------------------------------

These settings do not require users to be Administrator's or Power Users BTW.

Regards,


Larry Jones
ljones@wagstaff.com
OneWorld XE, SP 15.1
HPUX 11, Oracle SE 8.1.6
Mfg, Distribution, Financials
 

boaterdan

Active Member
Re: RE: RE: Windows 2000 Could write system Registry

Could you clarify a few things?

When you first run this batch file are you logged in as an administrator? Does the regini.exe set permissions based on the currently logged in user, or all users? Does your last statment mean to run this install batch file or to run OW and accept updates after it is finished?

Is this the sequence?

1) Log on as administrator and run this install batch file
2) Log off administrator
3) Normal user is good to go from then on

Thanks. This looks like it could be very helpful once I understand these questions.

---------------------------------
OneWorld Xe SP15
Clustered Windows 2000 + SQL 2000
 

Larry_Jones

Legendary Poster
Re: RE: RE: Windows 2000 Could write system Registry

Dan,

you got it. An administrator has to run the install script. After that the normal user should be good to go. the [1 7] values assign Full Control to both Administrators and Everyone (I know - redundant).
Here's the Microsoft Documentation on these settings:
*******************************************************************
How to Use Regini.exe to Set Permissions on Registry Keys

--------------------------------------------------------------------------------
The information in this article applies to:

Microsoft Windows NT Server version 4.0
Microsoft Windows NT Workstation version 4.0
Microsoft Windows NT Server version 4.0, Terminal Server Edition
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server

--------------------------------------------------------------------------------
SUMMARY
This article describes how to use the Regini.exe tool in the Microsoft Windows NT 4.0 Resource Kit to modify registry permissions from within a script.

MORE INFORMATION
It may be useful to use the Regini tool to modify registry permissions from within a script to automate the distribution of permissions or for other uses. For example, if an administrator wanted to allow Everyone to have full control to HKEY_LOCAL_MACHINE\Software\MyCompany\MyProgram, the following sample Regini script would assign this permission:

\registry\machine\software\mycompany\myprogram [1 5 7 17]

The numbers that appear after the MyProgram key correspond to group permissions, and are defined in the following list:

1 - Administrators Full Access
2 - Administrators Read Access
3 - Administrators Read and Write Access
4 - Administrators Read, Write and Delete Access
5 - Creator Full Access
6 - Creator Read and Write Access
7 - World Full Access
8 - World Read Access
9 - World Read and Write Access
10 - World Read, Write and Delete Access
11 - Power Users Full Access
12 - Power Users Read and Write Access
13 - Power Users Read, Write and Delete Access
14 - System Operators Full Access
15 - System Operators Read and Write Access
16 - System Operators Read, Write and Delete Access
17 - System Full Access
18 - System Read and Write Access
19 - System Read Access
20 - Administrators Read, Write and Execute Access
21 - Interactive User Full Access
22 - Interactive User Read and Write Access
23 - Interactive User Read, Write and Delete Access
Based on the script, the permissions of the MyProgram key are now:

Administrators: Full Control
Creator/Owner: Full Control
World (Everyone): Full Control
System: Full Control

NOTE: When you use Regini in this way, it actually replaces all permissions with those specified in the script, so to change "Everyone-Read" to "Everyone-Full Control," the new permission (number 7) must be applied, along with the other existing permissions. Note that if 7 is the only number specified in brackets in the script, then the permissions after running the script would only be "Everyone-Full Control."



Larry Jones
ljones@wagstaff.com
OneWorld XE, SP 15.1
HPUX 11, Oracle SE 8.1.6
Mfg, Distribution, Financials
 

Alex_Pastuhov

Legendary Poster
Re: RE: RE: Windows 2000 Could write system Registry

Hi All,

A better way is to use:
"http://members.optushome.com.au/apastuhov/WindowsRegistryCommander.htm"
to modify registry access rights:
- you can do it to all/some PC's in your network by running a single script from a single machine;
- you can define more specific rights than REGINI: say, grant "CHANGE" rights vs. "ALL" or just grant the rights to "USERS" vs. "WORLD";
- it's FREE as opposed to REGINI which is a part of Windows Resource Kit.

I also published a sample script on that URL...

Regards,
Alex.
 
Top