NTRights 1.2


NTRIGHTS.EXE allows administrators to selectively grant or revoke local file system or registry rights in Windows 2000. (Not tested for XP). The program optionally allows the administrator to shutdown and reboot the system. It can be used to run in pre or post launch scripts to grant or deny rights during program execution only.

4/2/03- This update removes a debugging statement that caused a loss of functionality.

Windows 2000 has both NTFS and registry file rights. Granting these rights is usually a manual process. Using NTRIGHTS.EXE you can now automate these procedures.

Machines merged into a Domain. Rights are granted as Domain\User, not LocalMachine\User format

How to use:
Open the Application object.
Select the Run Options tab.
Select Environment from the Run Options tab.
Select either Unsecure or Secure user. (Do NOT use Normal user!)
Select the Distribution Options tab.
Select the Distribution Scripts from the Distribution Options tab.
Add the command to run NTRIGHTS.EXE in the "Run after distribution" text window with the path to the its INI file. Apply the changes.

Warning: : Run this program outside of ZENworks as a local Administrator equivalent on Windows 2000 first!. Verify the changes are made to the system

Bigger Warning: : If you are launching a program via NTRights in secure mode, make sure it does not prompt the user or it will hang as the program attempts to prompt the user for input. The program will wait until the external program has exited before continuing to run the next external program.

Best Practices: Use the @ symbol rather than the # symbol to launch the program in the ZENworks scripts. This will allow ZENworks to always "succeed" and exit the installation. Use of the # symbol to wait for the script execution to finish is not good practice as outlined above in the previous paragraph. NTRights should reside in one directory and its INI (ntrights.ini) file within the directory of the application these rights are associated with. You can also use it in distribution and launch scripts for the same application by placing the INI file in a different directory from the other INI file.

NTRights takes two command line variables. One is the directory where its INI (ntrights.ini) file is, and the other is REVOKE. The Directory path must be defined first or the script will fail. Permissions are granted by default. Use the revoke switch to remove them.

Distribution script Program Example:
@path_to/NTRights.exe path_to/ntrights.ini

Note: Do not use a trailing back slash on the INI path.
@r:\scripts\ntrights.exe r:\apps\application_name

Ntrights path = i:\scripts\ntrights.exe
Application directory Path = q:\apps\my_app (ntrights.ini is in this dir)
Command line would be:
@i:\scripts\ntrights.exe q:\apps\my_app

By default it grants the rights in the INI file. To revoke rights in the INI file:
Ntrights path = i:\scripts\ntrights.exe
Application directory Path = q:\apps\my_app (ntrights.ini is in this dir)
Command line would be:
@i:\scripts\ntrights.exe q:\apps\my_app revoke (Or REVOKE)

This is the heart of this program. Running this program by itself or without a valid ntrights.ini defined does nothing. The program only executes the procedures outlines in this file. The file has several sections. Each section within the brackets is case sensitive. Any section may be skipped or not included. Enclose any registry key, group or path that contains spaces within quotes. The file may even be empty. First, do no harm.

Note: All entries are case sensitive. 'S' is not the same as 's'. This is especially true of the registry entries.

This section is where you choose your file permissions. If you want to grant only create/modify rights to the current user then use:

file# = path or filename. (where # starts at 1 and increments up. Do not actually use the # character). There is no limit to the number of files you can grant permissions to.

This section allows you to grant the following rights to a file or directory. Rights that are defined in this section are applied (edited) against the current user in Domain\Username form. The workstation must be registered into a Domain.

Here define the rights to grant or to revoke to a file or directory. Use the REVOKE command switch when launching the program in a post launch script.
( Ex: @i:\ntrights.exe m:\app revoke )

file# = path or filename. (where # starts at 1 and increments up. Do not actually use the # character). There is no limit to the number of files you can grant/revoke permissions to.

Perm# = Read, Write, Execute, Delete, Modify or Full. Match the perm# to the same as the file# that rights are to be granted or revoked. These must match!
Note: If Full permission is granted, all other permissions are skipped.

This section grants permission to any key value and below it. Specify the keys to grant permissions by using reg# (where # starts at 1 and increments. Do not actually use the # character). This basically grants the end user full rights.

reg# = HIVE:KEY Name or value

Hive Name Syntax: One of:


boot = y
or Y will cause the system to reboot in 30 seconds by default unless the time = option is used.

time = # is the number of seconds to wait before rebooting.

This section allows you to add the user to a list of local machine groups. Specify the groups to add the current user to using:
group# = value. (where # starts at 1 and increments up. Do not use the actual # character.)

This section allows you to optionally run other programs at the end of the script. Applications will execute regardless of the revoke command line. It is not recommended that you execute any programs when planning to use the grant/revoke feature. You may specify it in a separate INI file location. Specify the applications to run using:

run# = "full path to executable in quotes" (where # starts at 1 and increments up)

Note: None of these programs are allowed to require user input at all. This WILL cause the script to hang waiting for user input when run in Secure mode!

log = yes
. Enables logging of program execution for troubleshooting or auditing purposes. Defaults writing to the system %TEMP% directory as a text file named ntrights.log ( Usually c:\winnt\temp\ntrights.log )
file = path to file. No trailing back slash. This option may be used to put the logfile other than the local %TEMP% directory as %USER%.log. It will post the log to that directory with the users ID and .log to the file name.

file1 = "c:\program files\Netsoft"
file2 = "c:\winnt\netsoft.ini"
reg1 = HKLM\SOFTWARE\NetSoft
reg2 = HKLM\SOFTWARE\Microsoft\MSLicense
boot = y
time = 8
group1 = users

group="Power Users"

file1="d:\program files\myapp\myapp.exe"
file2="d:\program files\yourapp\yourpaper.doc
file3=d:\program files\yourapps\everyones.doc

log = yes

Bugs or Issues:
Contact: dougglenn@kemet.com
Please include the ntrights.ini file and a description of the problem.

Date: 10/21/02
Version: 1.2

Added ability to grant/revoke rights on the command line. Requested by - Jeff Ferris
Added logging for troubleshooting purposes.
Added ability to grant explicit file and directory rights. Requested by - Karen Duffell
Created PDF Documentation.
Reposted to Novell web site with documentation changes.

10/16/02Version 1.1
Corrected issue with registry rights reported by Karen Duffell.
Reposted to Novell web site.



Comment List