Wednesday, May 15, 2013

Packaging Skype with Auto Update disabled

EDITED: I have edited this post on 30-Aug-2013 after some users comments that the given solution is not working. I have studied in depth the skype update process and created this solution for all. Please check below (Edited Section) for more information.

Recently while packaging Skype for enterprise version, I could not disable the Auto Updates and finally found a way to get rid of it.

You can get the latest version of Skype setup in MSI format from the following URL: http://download.skype.com/msi/SkypeSetup.msi

There is no registry, file which can disable the Auto Update functionality of Skype. I searched in lots of forums and all said that it automatically prompts for update. So finally I decided to look in the MSI and find why and how it is doing it.

What I found was that Skype has an Updater.exe in the installation folder and it also creates a Skype Update service which points to this exe.
I just removed this service and updater.exe file from the skype msi package and it worked.
No need to do anything else. Just do this small part and you are done with removing the Auto Update in Skype.

Edited:
I have been asked and told by a lot of users that this is not working so I am adding a further solution which will definitely work without a doubt. I have mass deployed this and it has worked fine. For all the users who were getting the pop ups, this has fixed it.

You need to create a dummy SetupSkype.exe file and a Skypefix.vbs as below and add it to your INSTALLDIR (C:\Program Files\Skype\Phone\) of the package.

SkypeFix.vbs:
'==============================================
dim filesys, oShell
Set filesys = CreateObject("Scripting.FileSystemObject")
Set oShell = CreateObject("WScript.Shell")

des1 = oShell.ExpandEnvironmentStrings ("%Temp%")
sup = oShell.ExpandEnvironmentStrings ("%ProgramFiles%")
windir = oShell.ExpandEnvironmentStrings ("%Windir%")

destfile1= des1 & "\SkypeSetup.exe"
sourcefile1= sup & "\Skype\Phone\SkypeSetup.exe"

'Copy files

If filesys.FileExists(sourcefile1) Then

 a= filesys.CopyFile (sourcefile1, destfile1,True)

End If

oShell.Run windir & "\System32\Icacls.exe " & destfile1 & " /deny Everyone:D"

'=================================================

After this you need to create an Active Setup registry key which will run this vbs file for every user who logs off and logs in. After this there will be no upgrade issue.

This script works on the fact that SkypeSetup.exe gets downloaded from internet to %temp% folder of user and when it is downloaded, it starts prompting up for upgrade. I have created this file before hand in %temp% folder or replace the already existing one with this dummy file and then put a deny restriction to all the users on this file. So now a file cannot be downloaded to %temp% folder because there is already a file which cannot be deleted/replaced. Hence no more upgrade prompts.
I have created this solution by deeper understanding of Skype setup and upgrade.

Hope this tip will be helpful to you and let me know if it still does not work.

Tuesday, April 16, 2013

How to clear App-V Cache

This has become my favorite site today because one of the issue which I was facing in App-V while testing was because the App-V cache was not getting cleared.
I used one of the method used here and it worked for me.
I want to share this link with all and want to bookmark it for myself for future reference.

http://esense.be/33/2010/04/15/softgrid-clear-the-appv-cache/


In Summary, these are a few good options to start with:


First, get a list of all AppV applications:
sftmime query obj:app /short
Remove all applications from the cache:
sftmime.exe remove obj:app /global /complete
Remove a specific application from the cache:
sftmime.exe remove app:”applicationName” /complete


Hope your issues are solved with this as well.

Sunday, March 17, 2013

App-V with Java/JRE/JDK

It is very critical to understand how to handle installation of Java related applications in App-V environment.
While some are of the view that the application should be installed along with Java in the same bubble while some say that the Java version installed on the base machine can be used.

Here is how you can do both of these in a proper way:

1) Java installed locally on the machine: If Java is locally installed on the machine and you capture the App-V application, then you will see a hard coded entry in the registry. This basically points the App-V application to look for Java in this local machine location. If you upgrade your Java version from say 1.6.21 to 1.6.24, then you do not need to worry, however, if you do a major upgrade from 1.6.21 to 1.7.xx then you need to upgrade your App-V Application as well. You need to maintain the software library for all these applications and then upgrade them as part of Java Upgrade in the organization.

2) Java is installed as local copy inside App-V bubble: Java can also be installed as a local copy with your App-V application. There can be various reasons for doing this:
 a) Application is compatible only with a certain version of Java
 b) Application uses a higher version which is not locally installed.
 c) If Software manager do not want to upgrade the application every time Java gets updated.

In these cases a private copy of Java can be captured with App-V. However, there is a procedure for achieving this.
These steps will be helpful in doing this:

http://packagingguide.blogspot.com.au/2011/11/app-v-for-java-runtime-environment.html

Monday, February 25, 2013

Detection Method for MSU in Applications for SCCM 2012

In SCCM 2012 Applications you can have a detection method set for MSU with KB numbers.

You can use the Powershell or VBScript to do this. Here is an example of both.

Powershell Script:

get-hotfix | Where-Object {$_.HotFixID -match "KB981603"}

VBScript:

'Returns info if Windows 'KB981603'  in installed
' ----------------------------------------------------------'
Option Explicit

Dim objWMIService, strComputer
strComputer = "."

'Run the query
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" _
    & strComputer & "\root\cimv2")
 
Dim QFEs
Dim QFE
Set QFEs = objWMIService.ExecQuery ("Select * from win32_QuickFixEngineering where HotFixID like 'KB981603'")
For Each QFE in QFEs
    Wscript.echo "Update KB981603 was installed by " & QFE.InstalledBy & " on " & QFE.InstalledOn
Next
WScript.Quit

Thursday, February 14, 2013

VBScript to Delete Registrly key and all subkeys


This script has worked good for me and I would like to share with all.

Option Explicit

    Dim intHive
    Dim strComputer
    Dim strKeyPath, objRegistry

    Const HKEY_CLASSES_ROOT        = &H80000000
    Const HKEY_CURRENT_USER    = &H80000001
    Const HKEY_LOCAL_MACHINE    = &H80000002
    Const HKEY_USERS        = &H80000003
    Const HKEY_CURRENT_CONFIG    = &H80000005

    'On Error Resume Next

    strComputer            = "."
    intHive                = HKEY_LOCAL_MACHINE
 
    strKeyPath            = "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ABC\XYZ"

    Set objRegistry        = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

    DelSubkeys intHive, strKeypath

    Set objRegistry        = Nothing

    Sub DelSubkeys(ByVal intRegistryHive, ByVal strRegistryKey)
        Dim arrSubkeys

        objRegistry.EnumKey intRegistryHive, strRegistryKey, arrSubkeys
        If IsArray(arrSubkeys) Then
            For Each strSubkey In arrSubkeys
                DelSubkeys intRegistryHive, strRegistryKey & "\" & strSubkey
            Next
        End If

        objRegistry.DeleteKey intRegistryHive, strRegistryKey
    End Sub

Wednesday, January 30, 2013

VBScript to Delete Folder and all SubFolders with files


Here is the VBScript which will delete all Folders and Subfolders with even have files in it.
It took me so many hours to find this perfect script and all credits go to Rob van der Woude and the original script is here: http://www.robvanderwoude.com/vbstech_folders_deltree.php
I just want to keep this for my reference and for everyone so that we all can save some time.


Option Explicit

Dim objFSO, objTempFolder, strTempFolder

Const TEMP_FOLDER = 2

Set objFSO        = CreateObject( "Scripting.FileSystemObject" )
Set objTempFolder = objFSO.GetSpecialFolder( TEMP_FOLDER )
strTempFolder     = objTempFolder.Path

DelTree strTempFolder, True


Sub DelTree( myFolder, blnKeepRoot )
' With this subroutine you can delete folders and their content,
' including subfolders.
' You can specify if you only want to empty the folder, and thus
' keep the folder itself, or to delete the folder itself as well.
' Root directories and some (not all) vital system folders are
' protected: if you try to delete them you'll get a message that
' deleting these folders is not allowed.
'
' Arguments:
' myFolder     [string]   the folder to be emptied or deleted
' blnKeepRoot  [boolean]  if True, the folder is emptied only,
'                         otherwise it will be deleted itself too
'
' Written by Rob van der Woude
' http://www.robvanderwoude.com
'
    Dim arrSpecialFolders(3)
    Dim objMyFSO, objMyFile, objMyFolder, objMyShell
    Dim objPrgFolder, objPrgFolderItem, objSubFolder, wshMyShell
    Dim strPath, strSpecialFolder

    Const WINDOWS_FOLDER =  0
    Const SYSTEM_FOLDER  =  1
    Const PROGRAM_FILES  = 38

    ' Use custom error handling
    On Error Resume Next

    ' List the paths of system folders that should NOT be deleted
    Set wshMyShell       = CreateObject( "WScript.Shell" )
    Set objMyFSO         = CreateObject( "Scripting.FileSystemObject" )
    Set objMyShell       = CreateObject( "Shell.Application" )
    Set objPrgFolder     = objMyShell.Namespace( PROGRAM_FILES )
    Set objPrgFolderItem = objPrgFolder.Self

    arrSpecialFolders(0) = wshMyShell.SpecialFolders( "MyDocuments" )
    arrSpecialFolders(1) = objPrgFolderItem.Path
    arrSpecialFolders(2) = objMyFSO.GetSpecialFolder( SYSTEM_FOLDER  ).Path
    arrSpecialFolders(3) = objMyFSO.GetSpecialFolder( WINDOWS_FOLDER ).Path

    Set objPrgFolderItem = Nothing
    Set objPrgFolder     = Nothing
    Set objMyShell       = Nothing
    Set wshMyShell       = Nothing

    ' Check if a valid folder was specified
    If Not objMyFSO.FolderExists( myFolder ) Then
        WScript.Echo "Error: path not found (" & myFolder & ")"
        WScript.Quit 1
    End If
    Set objMyFolder = objMyFSO.GetFolder( myFolder )

    ' Protect vital system folders and root directories from being deleted
    For Each strSpecialFolder In arrSpecialFolders
        If UCase( strSpecialFolder ) = UCase( objMyFolder.Path ) Then
            WScript.Echo "Error: deleting """ _
                       & objMyFolder.Path & """ is not allowed"
            WScript.Quit 1
        End If
    Next

    ' Protect root directories from being deleted
    If Len( objMyFolder.Path ) < 4 Then
        WScript.Echo "Error: deleting root directories is not allowed"
        WScript.Quit 1
    End If

    ' First delete the files in the directory specified
    For Each objMyFile In objMyFolder.Files
        strPath = objMyFile.Path
        objMyFSO.DeleteFile strPath, True
        If Err Then
            WScript.Echo "Error # " & Err.Number & vbCrLf _
                       & Err.Description         & vbCrLf _
                       & "(" & strPath & ")"     & vbCrLf
        End If
    Next

    ' Next recurse through the subfolders
    For Each objSubFolder In objMyFolder.SubFolders
        DelTree objSubFolder, False
    Next

    ' Finally, remove the "root" directory unless it should be preserved
    If Not blnKeepRoot Then
        strPath = objMyFolder.Path
        objMyFSO.DeleteFolder strPath, True
        If Err Then
            WScript.Echo "Error # " & Err.Number & vbCrLf _
                       & Err.Description         & vbCrLf _
                       & "(" & strPath & ")"     & vbCrLf
        End If
    End If

    ' Cleaning up the mess
    On Error Goto 0
    Set objMyFolder = Nothing
    Set objMyFSO    = Nothing
End Sub

Thursday, December 13, 2012

Permissions to registry using setacl

Recently I was trying giving permission to one of the registry hives with Subinacl, but it was not working despite all efforts and checking all the syntax and a lot of troubeshooting.

Then I came across another permission granting utility known as SetACL. It worked like a charm. So you can try using this utility is Subinacl fails.

You can download SetACL from http://helgeklein.com/download/

Here is an example to run SetACL to give registry permissions.

"SetACL.exe" -on "hkcr\Interface" -ot reg -actn setowner -ownr "n:Administrators"
"SetACL.exe" -on "hkcr\Interface" -ot reg -actn ace -ace "n:Users;p:full"


  • Object name (-on): This is the path to the object SetACL should operate on (file/directory/registry key/network share/service/printer).
  • Object type (-ot): What kind of object does the object name refer to: file or directory (file), registry key (reg), service (srv), printer (prn), network share (shr)?
  • Action (-actn): What should SetACL do with the object specified?

A lot more details and description can be found at this awesome site: http://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/


Tuesday, October 23, 2012

Install MSP file with MSI

While handling with MSP of applications, sometimes a question comes in mind that can an MSP be installed along with MSI?
The answer is yes, but with a few conditions involved.
The conditions are explained later in the post with some description.

First I will give you the command line to install MSP along with MSI:

msiexec /i {Path to MSI}\Installer.MSI PATCH={Path to MSP}\Patch.MSP /qb

If there is a transform as well to add you can include it in the command line as well.

msiexec /i {Path to MSI}\Installer.MSI TRANSFORMS={Path to Transform}\Transform.MST PATCH={Path to MSP}\Patch.MSP /qb

The only thing which you have to take care in the command line is that you will have to give a complete path to MSP.
Relative paths do not work in this case.

This will apply the patch as in the updated files will be installed from the patch rather than from the MSI.

This process is greatly useful when there are a lot of patches to be applied to an MSI.

There might be cases that the MSI is already deployed on your client machines and you need to patch it with this new patch which has come now. You can deploy the MSP over the MSI and then it is suggested to change the initial MSI package to include the MSP.

If you have multiple MSP for an MSI then the way you implement it actually depends on the way the MSP are created for the MSI. There are two kinds of MSP:
1) Incremental
2) Add-on

The above ones are my terms and not Microsoft's and I am using them just for explaination purpose.

In Incremental MSP, say version 1.2 contains all the content for version 1.1 and so can be installed directly on top of MSI which is version 1.0. Similarly version 1.3 will install directly on top of MSI version 1.0. So you can skip the previous MSP version and directly install the latest version on top of your MSI.

In Add-on MSP, the MSP has only additional data from the previous version of MSI or MSP. For example, say version 1.2 has a few files added but it does not contain the files/registries which were added or modified in version 1.1 of MSP. So in this case you will have to install both MSPs, version 1.1 and 1.2 one after the other on top of MSI version 1.0
You can use command line like this:
msiexec /i {Path to MSI}\Package_1.0.MSI PATCH={Path to MSP}\Patch_1.1.MSP; {Path to MSP}\Patch_1.2.MSP /qb

The order of MSP mentioned here is important as it will install in that particular order only.

I hope this article is helpful to you in organizing and maintaining your Operational work with Application Packaging.

Wednesday, September 26, 2012

Error installing MSI from USB/DVD


I faced an issue installing Flash player from USB drive though it was installing fine when installed from local or network drive. I found out the issue and resolution and want to document here for all of you.

While installing the package, I got this error in the log files:

 

MSI (s) (44:C4) [14:06:35:318]: Source is incorrect. Volume label should be  but is SMSBOOT.

MSI (s) (44:C4) [14:06:46:956]: Source is incorrect. Volume label should be  but is SMSBOOT.

 

While analysing this, I realized that the disk label for my USB is SMSBOOT and this could be anything else for you on your USB or DVD.

I had added a file in my MSI through MST and it had created an entry in the Media table. This entry looked like this and this is the default entry which you get with the tool.

 
 

Behind the scene it was looking for a Blank labelled disk where this media is located but could not find it and it gave an error “Insert Disk”.

I removed the label from my USB drive and kept it Blank. It worked fine.

Just to get this you can do the following in your packages so that this issue does not come.

Just add DISK1 in the VolumeLabel Column for your added media as well. This will make it work for any labelled USB or DVD drive.
 
 

I hope this will help you to resolve your issues.

Tuesday, August 07, 2012

Subinacl to give permissions to registry/Files

Subinacl is a useful utility to give permissions to registries.

Here is a simple example how to give permissions to registry.

subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Optika /grant=administrators=f /grant=system=f /grant=users=f /setowner=administrators >> %temp%\subinacl_output.txt
/keyreg HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Optika /grant=administrators=f /grant=system=f /grant=users=f /setowner=administrators >> %temp%\subinacl_output.txt

Subinacl can be downloaded from net.

More detailed Usage as per your requirements. This contains lots of features.
You can write your comments on what you used and if it worked. Help others by posting your real time examples.

Usage :
     SubInAcl [/option...] /object_type object_name [[/action[=parameter]...]



/options    :
    /outputlog=FileName                 /errorlog=FileName
    /noverbose                          /verbose (default)
    /notestmode (default)               /testmode
    /alternatesamserver=SamServer       /offlinesam=FileName
    /stringreplaceonoutput=string1=string2
    /expandenvironmentsymbols (default) /noexpandenvironmentsymbols
    /statistic (default)                /nostatistic
    /dumpcachedsids=FileName            /separator=character
    /applyonly=[dacl,sacl,owner,group]
    /nocrossreparsepoint (default)      /crossreparsepoint

/object_type :
    /service            /keyreg             /subkeyreg
    /file               /subdirectories[=directoriesonly|filesonly]
    /clustershare       /kernelobject       /metabase
    /printer            /onlyfile           /process
    /share              /samobject

/action      :
    /display[=dacl|sacl|owner|primarygroup|sdsize|sddl] (default)
    /setowner=owner
    /replace=[DomainName\]OldAccount=[DomainName\]New_Account
    /accountmigration=[DomainName\]OldAccount=[DomainName\]New_Account
    /changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]
    /migratetodomain=SourceDomain=DestDomain=[MappingFile[=Both]]
    /findsid=[DomainName\]Account[=stop|continue]
    /suppresssid=[DomainName\]Account
    /confirm
    /ifchangecontinue
    /cleandeletedsidsfrom=DomainName[=dacl|sacl|owner|primarygroup|all]
    /testmode
    /accesscheck=[DomainName\]Username
    /setprimarygroup=[DomainName\]Group
    /grant=[DomainName\]Username[=Access]
    /deny=[DomainName\]Username[=Access]
    /sgrant=[DomainName\]Username[=Access]
    /sdeny=[DomainName\]Username[=Access]
    /sallowdeny==[DomainName\]Username[=Access]
    /revoke=[DomainName\]Username
    /perm
    /audit
    /compactsecuritydescriptor
    /pathexclude=pattern
    /objectexclude=pattern
    /sddl=sddl_string
    /objectcopysecurity=object_path
    /pathcopysecurity=path_container

Usage  : SubInAcl   [/option...] /playfile file_name

Usage  : SubInAcl   /help [keyword]
         SubInAcl   /help /full
    keyword can be :
    features  usage syntax sids  view_mode test_mode object_type
    domain_migration server_migration substitution_features editing_features
- or -
    any [/option] [/action] [/object_type]


SYNTAX
------

describe SubInAcl syntax

The SubInAcl syntax is analog to the UNIX find tool.
For each object, SubInAcl :
    1. retrieves the security descriptor of the object
    2. applies the /action(s). The /actions are executed in the order of
       the command line
    3. If :
       - the security descriptor has been modified and
       - the /testmode switch has not been specified
       the changes are applied to the object
    For instance :
       - SubInAcl /outputlog=result.txt /subdirectories \\Server\c$\temp\*.*
                  /grant=Dom\John=F /noverbose /display
         For each file below \\Server\c$\temp, SubInAcl will
         - open the file
  - grant full control for dom\john
         - display the security setting in noverbose mode
         - save the security descriptor.
         All outputs will be saved in result.txt

You can specify as many /actions as you wish. You must specify at least 3
characters for each action.
The command line is not case-sensitive

Ex: SubInAcl /file c:\temp\*.txt /replace=John=Smith /display
    for each *.txt file will - replace John with Smith
                             - display the whole security descriptor
                             - apply the changes if any

SubInAcl error messages are sent to the Standard error.
You can use the /output switch to save both outputs
and errors in the same file.


FEATURES
--------

describes SubInAcl main features
SubInAcl was designed to help administrators to manage security on
various objects.
It provides :
   - a unified way to manipulate security for different kinds of objects
     (files, registry keys, services, printer,...)
   - a console tool that allows to write scripts to automate
     security tasks
   - some features that help administrators to modify security if some
     changes occur in their organization:
         - user, group deletions (/suppresssid, /cleandeletedsidsfrom )
         - user, group migrations (/replace , /accountmigration)
         - domain, server  migration (/changedomain, /migratetodomain)
         ...
   - security descriptor editing features :
         - owner ( /setowner )
         - primary group ( /setprimarygroup )
         - permissions ( /grant , /deny , /revoke )
         - audit ( /sgrant, /sdeny, /sallowdeny)
   - access to remote objects
   - save and restore permissions (/playfile , /outputlog , /display )

You need SeBackupPrivilege SeRestorePrivilege
SeSecurityPrivilege SeTakeOwnershipPrivilege
SeChangeNotifyPrivilege privileges (locally or remotely) to run this tool

Type SubInAcl /help to get extended help




SIDS
----

sids : explain how SubInAcl retrieves and translates SIDs

The security descriptor references users and groupswith a SID (Security
Identifier). A SID can be expressed in one of the following form:
         + DomainName\Account (ex: DOM\Administrators )
         + StandaloneServer\Group
         + Account ( see LookupAccount API )
         + s-1-x-x-x-x . x is expressed in decimal
           (ex: S-1-5-21-56248481-1302087933-1644394174-1001)
           Warning : In that case, no check is done to verify the existence
           of this SID.

SubInAcl maintains a local cache of SIDs to minimize SID to "Human Name"
translation network cost.

SubInAcl queries the server where the ressource object is located to
translate or retrieve SIDs. If needed, you can specify another SAM
server to translate SIDs (see /alternatesamserver).
If you try to replace SIDs and the originated domain or server is not online,
you can provide a file containing the needed SIDs (see /offlinesam).
You can dump the local cache of SIDs in a file (see /dumpcachedsids).


VIEW_MODE
---------

/noverbose /verbose

SubInAcl can be used in a quiet mode (/noverbose) or a in verbose mode
(/verbose , /Noverbose )
You can specify these switches either :
  - for the entire comand line :
       SubInAcl /noverbose /file *.dat /display
  - after a specific action    :
        SubInacl /file *.dat /display /noverbose /display



TEST_MODE
---------

/testmode /notestmode (default)

If /testmode is specified, the changes will not be reflected to the object
security descriptor. This option is useful to test the validity of a comand.
Ex : SubInacl /subdirec \\server\share\*.* /changedomain=DOMA=DOMB
              /ifchangecontinue /noverbose /display /testmode
     For each file modified this comand displays the modified security
     descriptor. But these changes will not physically apply to the files



OBJECT_TYPE
-----------

/file /subdirectories /onlyfile /keyreg /subkeyreg /service /share /clustershare /printer
/kernelobject /metabase /process /samobject

SubInAcl can work with various objects:
- Files         :
      /file
      /subdirectories
      /onlyfile
- Registry keys :
      /keyreg
      /subkeyreg
- Services      :
      /service
- Shares        :
      /share
      /clustershare
- Printer       :
      /printer
- Kernel named objects :
      /kernelobject
- IIS adminidstration rights :
      /metabase
// - Process       :
      /process
- Sam       :
      /SamObject

The actions are valid for all objects
Most of them support the enumeration with the * character


DOMAIN_MIGRATION
----------------

explain how to migrate security between domain SIDs

The main purpose of SubInAcl is to help administrators to migrate user(s)
if the domain architecture has changed.
For instance, the user John has moved and is now member of the DOMB domain.
You can reflect this change with :
SubInAcl /subdirec \\server\share\*.* /replace=OldDomain\John=DOMB\John
N.B: A trust relationship must be enabled between the domain of server and
OldDomain and NEWDOMAIN
N.B: If a trust relationship cannot be enabled, you can use the
/alternatesamserver=Server. Server should be the name of Domain Controller
Server

Sample :
  You have worked with a unique domain.
  You want to migrate a BDC named MIGRCONTROL with all the files and the
  users utilized on a new domain
  1. Reinstall the BDC as PDC to the NEWDOMAIN (without erasing the files)
  2. Create the users on NEWDOMAIN
  3. Create a "trusted relationship" with OLDDOMAIN
  4. Run SubInAcl /noverbose /subdirectories x:\*.*
                             /changedomain=OLDDOMAIN=NEWDOMAIN
  5. Verify the changes with SubInAcl /noverbose /subdirectories x:\*.*

Sample :
  You have worked with a standalone server named SERVER in a workgroup
  environment. You want to move this server (including users) to a domain DOM.
  1. Move SERVER to the domain DOM
  2. Create the users in the DOM domain
  3. SubInAcl /noverbose /subdirectories \\server\share
              /changedomain=SERVER=DOM

See /changedomain /migratedomain /replace actions


SERVER_MIGRATION
----------------

explain how to migrate SIDs when objects are moved from one server to another one

Migrating file system from one local server to another local server is not
a trivial task. SubInAcl Version 2.2 has been enhanced to help this migration
process.
To migrate file system files from one local server and to preserve security,
you can perform the following steps:
1. use scopy to copy files and ACLs on destination server
2. create local groups on the destination server
3. Use /changedomain or /changedomain with the /alternatesamserver option :
    By default SubInAcl queries the server where the objects are located to
    retrieve SIDS. This server is not aware of the SIDs valid on another
    standalone server
    To address this issue, you can use the /alternatesamserver option to ask
    SubInAcl to to use the alternamesamserver server if a SID resolution is
    not successfull on the initial server.
Sample :
    SubInAcl /alternatesamserver=SourceServer /subdirect
    \\DestServer\Share\*.*
             /migratedomain=SourceServer=DestServer

See /alternatesamserver /migratedomain /offlinesam


EDITING_FEATURES
----------------

how to edit parts of the security descriptor

SubInAcl allows to modify each part of a a security descriptor :
- owner
       see /owner=SID or /setowner=SID
- primary group
       see /setprimarygroup=GroupSID
- system ACL (SubInAcl name = Audit ACL) with Access Control Entries
   (SubInAcl name= AAce = Audit ACE)
see /audit /sgrant /sdeny /sallowdeny
- discretionnary ACL (SubInAcl name = Perm ACL ) with Access Control Entries
   (SubInAcl name= PAce = Perm ACE)
  see /perm   /pace=xxx  /revoke=SID /grant=SID=Access /deny=SID=access
       /sgrant=SID=Access /sdeny=SID=access
/sallowdeny=SID=access- or the full security descriptor
  see /sddl=sddl_string



/SERVICE
--------

/service service_name

manipulate service
- \\ServerName\Messenger
- \\ServerName\M*
- Messenger
N.B: /driver can be used also.
      /driver  * will display all driversm
      /service * will display all services


/KEYREG
-------

/keyreg registry_key

manipulate registry keys
- HKEY_CURRENT_USER\Software
- HKEY_CURRENT_USER\Software\*Version
- \\Srv\HKEY_LOCAL_MACHINE\KeyPath


/SUBKEYREG
----------

/subkeyreg registry_key

manipulate registry keys and subkeys
- HKEY_CURRENT_USER\Software
- HKEY_CURRENT_USER\Software\*Version
- \\Srv\HKEY_LOCAL_MACHINE\KeyPath


/FILE
-----

/file filename

manipulate files
N.B: SubInAcl is not supported on DFS volumes
- *.obj
- c:\temp\*.obj
- \\servername\share\*.exe
- c:\
/file=directoriesonly will apply parameters on directories only
/file=filesonly will apply parameters on files only


/SUBDIRECTORIES
---------------

/subdirectories file_path

manipulate files in specified directory and all subdirectories
- c:\temp\*.obj     : work with all obj files
- c:\temp\test      : work with all test files below the c:\temp directory
- c:\temp\test\*.* : work with all files below temp\test
- c:\temp\test\    : work with all files below temp\test
/subdirectories=directoriesonly will apply parameters on directories only
/subdirectories=filesonly will apply parameters on files only


/ONLYFILE
---------

/onlyfile file_name

open a file without using the FindFilexxx mechanism.
Can be used to access named pipes or mailslot
- \\.\pipe\pipename


/SAMOBJECT
----------

/samobject samobject

allow to access ACL associated to SAM objects(users,localgroup,globalgroup).
Can be used to allow a localgroup(alias) created by a power users on a member
to be updated by another power users member
- \\samserver\localgroup
- \\samserver\*users*
- *group*
- Subinacl /samobject \\sams\testgroup /grant=poweruser1=f


/SHARE
------

/share file_share_name

access a network file share.
- \\server\share
- \\server\test*


/CLUSTERSHARE
-------------

/clustershare \\clustername\fileshareresource

access a cluster file share resource.
- \\clustername\FileShare_Resource_Name
- \\clustername\s*


/KERNELOBJECT
-------------

/kernelobject kernel_object_name

access a named kernel object.
Can be used to view mutex, sections, events objects


/PROCESS
--------

/process pid_or_executable_pattern

access a process object.
- notepad.* or pid_in_decimal


/METABASE
----------

/metabase metabase_path

access to IIS metabase AdminACL metabase property
Note that this property can only be used with these Metabase paths
/LM/MSFTPSVC , /LM/MSFTPSVC/n , /LM/W3SVC , /LM/W3SVC/
This object doesn't support enumeration.
- SubInAcl /metabase \\ServerName\LM\W3SVC /grant=administrator=F



/PRINTER
---------

/printer printername

access to printer
- \\server\printer1
- \\server\*



/DISPLAY
--------

/display[=dacl|sacl|owner|primarygroup|sdsize|sddl]

display the security descriptor
You can also view part of the security descriptor. /display=dacl will
display the discretionary acl. /display=sddl will display the security
using the Win32 SDDL security descriptor string format (see Platform SDK)
The /noverbose display can be used to reapply the security descriptor
(see /playfile)


/PLAYFILE
---------

/playfile playfile

The /playfile feature allows SubInacl to run in a batch mode.
The format of the playfile command file is :
   + object_type object_name
   /action[=parameter]...
   /action[=parameter]...
   +object_type object_name
   /action[=parameter]...

SubInacl /playfile=playfile.txt with
With playfile :
+subdirec *.txt
/grant=everyone=R
+service RkillSrv
/display
will give the same result than
SubInAcl /subdirectories *.txt  /grant=everyone=R
SubInAcl /service RkillSrv /display

One typical usage of the playfile feature is to allow to reapply security settings
saved previously because the output format of the noverbose /display is a playfile
compatible format:
1.a) SubInAcl  /noverbose /outputlog=d:\SubInaclSave.txt /subdirectories c:\*.* /display
This command saves all security settings for the files on C: drive.
Sids will be saved in the Domain\user string format
The /display option in a noverbose mode uses an output playfile compatible format
or
1.b)  SubInAcl /error=d:\Err.txt /outputlog=d:\SubInaclSave.txt /subdirectories c:\*.* /display=sddl
This command saves all security settings using the Win32 SDDL format.
Sids will be saved in the S-1-x-x form. This will not require SubInacl to translate Sids
This may minimize the elapsed time and resource usage
2) SubInAcl /playfile d:\SubInaclSave.txt
This command will reapply the previously saved settings.

One other advantage of using a playfile is to improve performance and save network
bandwidth because SubInacl maintains a local cache of SIDs.
For instance if you issue :
SubInacl /subdirectories c:\*.* /migrate=domain1=domain2
And
SubInacl /subdirectories d:\*.* /migrate=domain1=domain2

Batching  these commands will reduce the network usage bandwidth and improve
performance because SID TO HUMAN NAME resolution process will be reduced.


/OUTPUTLOG
----------

/outputlog=filename

all outputs will be send in filename. You need to use /errlog switch to
redirect all errors in a different file


/ERRORLOG
---------

/errorlog=filename.txt

all errors will be send in the filename.txt


/ALTERNATESAMSERVER
-------------------

/alternatesamserver=Server

SubInAcl queries the Server where the object is located to lookup Sids.
Under some circumstances , you may need ( see server_migration or
domain_migration) to retrieve Sids from another server. If a Sid resolution is
unsuccessful, this option allows SubInAcl to query the alternamesamserver.


/OFFLINESAM
-----------

/offlinesam=FileName

By default, SubInAcl queries the Server where the object is located to lookup
Sids.Under some circumstances (migration where the source server is offline
or if a domain is no longer available, want to avoid network round trip
for SIDs retrievals), you may allow SubInAcl.exe to retrieve SIDs from
the FileName file.
File format is :
__cachefileonly__=s-1-9-cacheonly
domain\simon=S-1-5-21-1190502449-1716722630-1654032285-1105
nat\julien=S-1-5-21-1060284298-436374069-1708537768-1005

where domain\simon and nat\julien can be a domain account or server account.
With the __cachefileonly__ line in the file, SubInAcl.exe will not query
SAM Server(s) anymore. All needed SIDs should be found in the SAM
cache file


/DUMPCACHEDSIDS
---------------

/dumpcachedsids=FileName

At the end of the subinacl execution,
you can dump the contents of the local cache Sids in a file.
This file can later be used for future SubInacl execution (see .
/offlinesam) to speed up the Sids resolution process)


/SETOWNER
---------

/setowner=SID

will change the owner of the object
/owner=SID or /setowner=SID
owner = DomainName\Administrators will retrieve the Administrators Sid on
the server where the object is (see Win32 SDK LookupAccountName function).


/REPLACE
--------

/replace=DomainName\OldAccount=DomainName\New_Account

    replace all ACEs (Audit and Permissions) in the object
    Ex: /replace=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan will replace
        all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID
        retrieves from NEWDOM domain
    Warning: if DomainName\New_Account has already an ACE, ACE replacement is
    skipped


/ACCOUNTMIGRATION
-----------------

/accountmigration=DomainName\OldAccount=DomainName\New_Account

    (see /replace)
    will :
    - replace owner or primary group if one of them is DomainName\OldAccount.
    - duplicate ACE(s) with reference to DomainName\OldAccount for New_Account
    Ex: /accountmigration=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan will
    duplicate all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID
    retrieves from NEWDOM domain
    Warning : if DomainName\New_Account has already an ACE, ACE replacement is
    skipped


/CLEANDELETEDSIDSFROM
---------------------

/cleandeletedsidsfrom=domain[=dacl|sacl|owner|primarygroup|all]

    delete all ACEs containing deleted (no valid) Sids from DomainName
    You can specify which part of the security descriptor will be scanned
    (default=all)
    If the owner is deleted, new owner will be the Administrators group.
    If the primary group is deleted, new primary group will be the Users group.


/CHANGEDOMAIN
-------------

/changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]

     replace all ACEs with a Sid from OldDomainName
     with the equivalent Sid found in NewSamServer
     Ex: /changedomain=DOM_MARKETING=NEWDOMAIN
     replace all ACEs containing DOM_MARKETING\ChairMan SID
     with the ChairMan's SID retrieved on NEWDOMAIN computer
     The NEWDOMAIN must have a trusted relationship with the server
     containing the object

     If you want to explicitly specify the users affected , you can specify a
     mapping file. The MappingFile file will allow you to specify the list of
     users affected and the name of the replacing user in the NewDomain

     Below a sample of a MappingFile

     simon=julien
     administrator=administrator

     OldDomainName\Simon will be replaced by NewDomainName\Julien and
     OldDomainName\Administrator will be replaced with
     NewDomainName\Administrator

     If you use /changedomain=OldDomainName=NewDomainName=MappingFile notation
     ,only users defined in this file will be migrated.
     If you use /changedomain=OldDomainName=NewDomainName=MappingFile=Both,
     the mapping file will be examined first to determine if a mapping user
     exist. If not, SubInacl will try to find the equivalent user in the
     NewDomainName


/MIGRATETODOMAIN
----------------

/migratetodomain=FromDomainName=ToDomainName[=MappingFile[=Both]]

     same behavior than /changedomain except that news ACEs will added instead
     of replacing
     Ex: /migratetodomain=DOM1=DOM2
     each ace with DOM1\User will be duplicated with DOM2\User
     (If DOM2\User exists)
     If during the migration there was a serious oversight
     you can instruct the user to log back onto DOM1.
     N.B: Owner and Primary Group are migrated to DOM2


/FINDSID
--------

/findsid=DomainName\Account[=stop|continue]

     display the object name containing a reference to DomainName\Account
     in the security descriptor
     stop     - if Account is found, next parameters will be skipped
                and changes will not be applied
              - if Account is not found, next parameter will be executed
     continue - if Account found, next parameters will be executed
              - if Account not found, next parameters will be skipped
                and changes will not be applied


/SUPPRESSSID
------------

/suppresssid=DomainName\Account

     suppress all ACES containing the DomainName\Account SID.
     If the object's owner is DomainName\Account, the owner is set to
     Everyone's SID.


/PERM
-----

/perm

     suppress all existing permissions aces (PACEs)


/AUDIT
------

/audit

     suppress all existing auditing aces (AACEs)


/IFCHANGECONTINUE
-----------------

/ifchangecontinue

     continue to process the next actions only if some changes have been
     made in the previous actions


/TESTMODE
---------

/testmode

     changes will not be applied to the object. This allows to test the
     modifications


/ACCESSCHECK
------------

/accesscheck=Domain\Username

     display the access granted to the Domain\Username. The password will
     be asked. This option requires the SeTcbName privilege (Act as Part
     of the Operating System). This option cannot be used with remote object.
     Note : the access is checked with the NETWORK security identified
     granted to the Domain\UserName


/SETPRIMARYGROUP
----------------

/setprimarygroup=[DomainName\]Group

     change the primary group


/DENY
-----

/deny=[DomainName\]User[=Access]

     add a  denied Permission Ace for the specified User (or group)
  If Access is not specified, all accesses will be denied.

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

     Process:
       F : Full Control
       R : Read
       W : Write
       X : eXecute

     SamObject:
       F : Full Control
       W : Write
       R : Read
       X : Execute


/REVOKE
-------

/revoke=[DomainName\]User

     suppress all Permission Ace(s) for the specified User (or group)


/GRANT
------

/grant=[DomainName\]User[=Access]

     will add a Permission Ace for the user.
     if Access is not specified, the Full Control access will be granted.

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

     Process:
       F : Full Control
       R : Read
       W : Write
       X : eXecute

     SamObject:
       F : Full Control
       W : Write
       R : Read
       X : Execute


/SALLOWDENY
-----------

/sallowdeny=[DomainName\]User[=Access]

     will add an Allow/Failed Audit Ace for the user and remove all existing
     Audit Ace for this user(or group).
     if Access is not specified, the Full Control access mask will be used.
     Ex: SubInacl /file c:\windows\explorer.exe /sallowdeny=everyone=R
         will set the audit for everyone's successful and failed access


/SGRANT
-------

/sgrant=[DomainName\]User[=Access]

     will add a Successfull (Allow) Audit Ace for the user and remove all existing
     Audit Ace for this user(or group).
     if Access is not specified, the Full Control access mask will be used.
     Ex: SubInacl /file c:\windows\explorer.exe /sgrant=everyone=R
         will set the audit for everyone's successful access

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

     Process:
       F : Full Control
       R : Read
       W : Write
       X : eXecute

     SamObject:
       F : Full Control
       W : Write
       R : Read
       X : Execute


/SDENY
------

/sdeny=[DomainName\]User[=Access]

     will add a Failed Audit Ace for the user and remove all existing
     Audit Ace for this user(or group).
     if Access is not specified, the Full Control access mask will be used.

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

     Process:
       F : Full Control
       R : Read
       W : Write
       X : eXecute

     SamObject:
       F : Full Control
       W : Write
       R : Read
       X : Execute


/OBJECTEXCLUDE
--------------

/objectexclude=pattern

      all objects matching the pattern string will be skipped (eXcluded).
   The only wildcard valid is *. It can be used everywhere in the string.
      Pattern may be a name ( *Name.exe ) or a path ( *dir\subdir\*ToExclude* ).


/PATHEXCLUDE
------------

/pathexclude=pattern

      all containers matching the pattern string will not be enumerated.
      See /objectexclude
      N.B: the Actions specified will not be applied to the container too.


/STATISTIC
----------

/statistic

      will display statistics when processing is finished.


/CROSSREPARSEPOINT
------------------

/crossreparsepoint

      When processing a file system path, SubInacl will enumerate
      file and directories below a reparsepoint except if /nocrossreparsepoint.
      is specified.


/STRINGREPLACEONOUTPUT
----------------------

/stringreplaceonoutput=string1=string2

      All occurrences of string1 will be replaced by string2 in subinacl output.


/SDDL
-----

/sddl=sddl_string

      specify the Security descriptor for the object using the Win32 security
      descriptor definition language (SDDL)


/APPLYONLY
----------

/applyonly=dacl,sacl,owner,group

      Some subinacl options may change parts (owner,group,dacl,sacl) of the security descriptor.
      You may restrict the change to some parts of the security descriptor only .
      For instance /applyonly=dacl,sacl,owner will not modify the primary group field


/PATHCOPYSECURITY
-----------------

/pathcopysecurity=path_container

      SubInacl will reset the security descriptor for the object with the same named object
      in the container path.
      Ex: - SubInacl /file c:\temp\*.txt /pathcopysecurity=d:\test
          will replace the security (acls,owner,primarygroup) for c:\temp\1.txt with the security
          retrieved from d:\test\1.txt (if this file exists)
          -SubInacl /service Messenger /pathcopysecurity=\\Server
          will update the security on the service Messenger with the security existing on the remote
          messenger service


/OBJECTCOPYSECURITY
-------------------

/objectcopysecurity=object_path

      SubInacl will reset the security descriptor with the object object_path
      in the container path.
      Ex: - SubInacl /file c:\temp\*.txt /objectcopysecurity=d:\test\mask.txt
          will replace the security (acls,owner,primarygroup) for all txt files
          in c: emp with the security retrieved on d:\test\amsk.txt
          will update the security on the service Messenger with the security existing on the remote
          messenger service

With help from this awesome post: http://www.vanstechelman.eu/windows/how_to_use_subinacl