Grat End-User Rights to Remotely Modify an HKLM Registry Key

Hi all. I've written a VB.Net application that synchronizes some data with a .Net service via an HKLM registry key on a member server (Windows Server 2003) that I'll call Moe.

Non-domain admins end-users must be able to read and write the key. The key on Moe looks something like....

They need to read/write values in OurStuff. I can't get it to work. Here is what I've done....

Created AD Global Group "OurStuffOps"
Placed the appropriate users and groups in "OurStuffOps"
Created a domain GPO called "OurStuffOps Policy." Linked it to the OU that Moe is in. Gave rights to the Moe$ computer object to apply the group policy.

In the computer branch of "OurStuffOps Policy" I set "Access this computer from the network" to the "OurStuffOps" group. I set the following ACE's on registry keys...

HKLM = Read (this key only) for the "OurStuffOps" group.
HKLM\SOFTWARE = Read (this key only) for the "OurStuffOps" group.
HKLM\SOFTWARE\OurStuff = Full Control (this key and subkeys) for the "OurStuffOps" group.

(Note: Also tried full control for HKLM and HKLM\SOFTWARE. I also tried it for keys/subkeys)

Of course I ran GPUPDATE /FORCE on Moe. I verified via Regedt that the new permissions have taken effect on Moe's keys. I checked secpol.msc on Moe to verify that the "OurStuffOps" group now has "access this computer from the network."

While logged in as my test end user (Larry Bird) the VB.Net app still throws an exception on the first registry read - permission denied. Mr. Bird can't access HKLM via Regedit over the network either. Of course, all of this works if I put Mr. Bird into Moe's Administrators group, but I don't want end-users with that level of power.

What am I missing? There's probably a good article that I'm not finding. Help please!

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I think there's one more step to complete.

Computer Config>Windows Settings>Security Settings>Security Options::

>> Network Access: Remotely accessible registry paths
>> Network Access: Remotely accessible registry paths and sub-paths

I think one or both of these need some attention on "Moe".


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mooseguy57Author Commented:
Thanks Netman66. I'll test this today and let you know.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.