Setting registry permissions with Powershell

16,039

I found the answer after looking at the AccessControl parameters closer. I wasn't specific enough in defining the ACL to be added. This is the current code, which only adds the permission to the top key alone;

$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain Admins","FullControl","Allow")

This is the code that allows the ACL to be set at the top level of the registry and inherit down to those below:

$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain Admins","FullControl","ObjectInherit,ContainerInherit","None","Allow")

16,039

Meckron

Updated on September 18, 2022

Comments

Meckron almost 2 years

I have a registry key that I need to take ownership of and then set a permission set on. I'm able to take ownership, but when setting the permission, it only applies to the very top level of the registry key, it doesn't inherit down. What do I need to modify to make the permission inherit to the entire key?

$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain Admins","FullControl","Allow")
$owner = [System.Security.Principal.NTAccount]"Administrators"

$keyCR = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
# Get a blank ACL since you don't have access and need ownership
$aclCR = $keyCR.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$aclCR.SetOwner($owner)
$keyCR.SetAccessControl($aclCR)

# Get the acl and modify it
$aclCR = $keyCR.GetAccessControl()
$aclCR.SetAccessRule($AddACL)
$keyCR.SetAccessControl($aclCR)
$keyCR.Close()

TOOGAM over 7 years

+1 ; I haven't verified that the answer is correct, but does seem to directly address the question, so it appears to be a useful answer that, unfortunately, never seemed to get any recognition/feedback from the question poster.