"Requested registry access is not allowed." Powershell

active-directory permissions powershell database

12,034

Step 1.

Assigning Permissions to a Registry Key

Click the key that you want to assign permissions.
On the Edit menu, click Permissions.
Click the group or user name that you want to work with.
Assign one of the following access levels to the key: Select the Allow check box for

Read to give permission to read the key contents, but not save any changes. Select the Allow check box for Full Control to give permission to open, edit, and take ownership of the key.

To grant special permission in the key, click Advanced, and then double-click the user or group that you want to assign special access. Under Permissions, select the Allow or the Deny check box for each permission you want to allow or deny.

Step 2.

Windows Server 2003 Domain Controller

Open the Group Policy editor
Navigate to, Local Computer Policy > Computer Configuration > Policies > Windows Settings > Security Settings > System Services
In the right hand pane locate Remote Registry
Define the policy, and set the Startup type to Automatic
eboot the clients to apply the policy

Windows Server 2008 or newer Domain Controller

Open the Group Policy editor
Expand Computer Configuration > Policies > Windows Settings > Security Settings > System Services
Find the Remote Registry item and change the Service startup mode to Automatic
Reboot the clients to apply the policy

Step 3.

Open Local Group Policy Editor Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Properties of Network access: Remotely accessible registry paths and sub-paths -> at Local Policies Setting tab add your Registry sub-paths that you wish to query

For example: System\CurrentControlSet\Control\ContentIndex

12,034

Author by

Ender

Updated on September 18, 2022

Comments

Ender over 1 year
I'm trying to find database size of DC which is located in NTDS service. My script is:
```
$Computer = "abe.com"
$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $computer)     

$RegKey=$Reg.OpenSubKey("SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters" 
$NTDSPath = $Regkey.GetValue("DSA Database file") 
$NTDSREMOTEPath =  "\\$computer\$NTDSPath" -replace ":","$" 
$NTDSREMOTEPath = Get-item $NTDSREMOTEPath | Select-Object -ExpandProperty Length 

($NTDSREMOTEPath /1GB).ToString("0.000"+" GB") 
```
After running this I got an error:
```
Exception calling "OpenSubKey" with "1" argument(s): "Requested registry access is not allowed."
At C:\Users\Documents\HealthCheck\hardwareMonitoring.ps1:40 char:1
+ $RegKey= $Reg.OpenSubKey("SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters" ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : SecurityException

You cannot call a method on a null-valued expression.
At C:\Users\Documents\HealthCheck\hardwareMonitoring.ps1:41 char:1
+ $NTDSPath = $Regkey.GetValue("DSA Database file")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Get-item : Cannot find path '\\abc.com\' because it does not exist.
At C:\Users\Documents\HealthCheck\hardwareMonitoring.ps1:43 char:19
+ $NTDSREMOTEPath = Get-item $NTDSREMOTEPath | Select-Object -ExpandProperty Lengt ...
+                   ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (\\abc.com\:String) [Get-Item], ItemNotFoundE 
   xception
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand
```
I realized that my account does not have enough permission to query this path from regedit SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters.

I decided to login into "abc.com" and added my account with full control and read rights. What I have done was, right click on Parameter choose permissions and add my account in.

I came back to run the script again. I got the same error!

It works with Admin account by the way. I want to execute the query without using a domain admin account.

What's the reason in this case? Thank you so much!
- Ender over 6 years
  
  @jscott I was really doubtful for this. What can I do more? :(
- Todd Wilcox over 6 years
  
  "It works with Admin account by the way. But I'm trying to mitigate the risk as much as possible." Mitigate the risk of what?
- Ender over 6 years
  
  @ToddWilcox I don't wanna run the script with Admin account. It can be abused easily and for some other reasons it's better to run with regular user.
- Todd Wilcox over 6 years
  
  Are you trying to run the script one time to get the information or are you trying to schedule the script and/or save the credentials somewhere? If you're just running it one time, then there's no reason to worry about what will happen with admin credentials unless you have a multiple personality disorder.
- Ender over 6 years
  
  I'm trying to schedule the script btw @ToddWilcox
- Todd Wilcox over 6 years
  
  It might be a lot clearer if you explain in your question that what you're really looking for are the minimum privileges and permissions required by an account to execute this query, so you can set up an account with minimum access necessary to be used for a scheduled task. It's not that you can't execute the query at all, it's that you want to know how to execute the query without using a domain admin account.
- Ender over 6 years
  
  @ToddWilcox , Tks for pointing it out, I have editted :)
- Greg Askew over 6 years
  
  This seems unnecessary. It would be far simpler to specify a variable with the path, that could be changed if necessary. The number of organizations with an AD database in a non-default location are actually very small, and most likely have the same path on all domain controllers.