Sometimes I need to change permissions in a machine's registry for an application to run. For example, for Microsoft Photo Editor in the Microsoft Office 2000 suite, I need to change permissions in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools registry subkey. Otherwise, Photo Editor won't run. Up to this point, I've either used regedt32 to manually change the permissions on the user's machine or given the user Administrator privileges on the local machine. I'd much rather use a script to set these registry permissions. I know I can use WSH to read and write to the registry, but can I use WSH to set permissions in it?

You can't use the registry methods that the WshShell object exposes to set registry permissions. However, you can use subinacl.exe or adssecurity.dll. Of these solutions, only adssecurity.dll supports remote registries.

Subinacl.exe is a command-line utility in the Microsoft Windows 2000 Server Resource Kit. This utility lets you manage the security descriptor on a variety of securable objects, including the registry. You can find subinacl.exe syntax, usage instructions, and examples in the resource kit's Tools Help document.

Adssecurity.dll is a COM component in the Active Directory Service Interfaces (ADSI) software development kit (SDK). To use adssecurity.dll, you must first download the ADSI SDK from http://www.microsoft.com/ntserver/nts/downloads/other/adsi25/sdk.asp. To install the ADSI SDK, unzip the archive in your preferred target directory (e.g., C:\program files\adsi). After unzipping the archive, open a command prompt and go to the C:\program files\adsi\resourcekit (or equivalent) directory. To install the component, you must register adssecurity.dll with the Regsvr32 command

C:\program files\adsi\resourcekit>
        regsvr32 adssecurity.dll

You should receive the message DllRegisterServer in ADsSecurity.dll succeeded. You're now ready to use the component. The C:\program files\adsi\rtk.htm file contains usage instructions and sample code.