Grat End-User Rights to Remotely Modify an HKLM Registry Key

Posted on 2006-03-24
Last Modified: 2012-05-05
Hi all. I've written a VB.Net application that synchronizes some data with a .Net service via an HKLM registry key on a member server (Windows Server 2003) that I'll call Moe.

Non-domain admins end-users must be able to read and write the key. The key on Moe looks something like....

They need to read/write values in OurStuff. I can't get it to work. Here is what I've done....

Created AD Global Group "OurStuffOps"
Placed the appropriate users and groups in "OurStuffOps"
Created a domain GPO called "OurStuffOps Policy." Linked it to the OU that Moe is in. Gave rights to the Moe$ computer object to apply the group policy.

In the computer branch of "OurStuffOps Policy" I set "Access this computer from the network" to the "OurStuffOps" group. I set the following ACE's on registry keys...

HKLM = Read (this key only) for the "OurStuffOps" group.
HKLM\SOFTWARE = Read (this key only) for the "OurStuffOps" group.
HKLM\SOFTWARE\OurStuff = Full Control (this key and subkeys) for the "OurStuffOps" group.

(Note: Also tried full control for HKLM and HKLM\SOFTWARE. I also tried it for keys/subkeys)

Of course I ran GPUPDATE /FORCE on Moe. I verified via Regedt that the new permissions have taken effect on Moe's keys. I checked secpol.msc on Moe to verify that the "OurStuffOps" group now has "access this computer from the network."

While logged in as my test end user (Larry Bird) the VB.Net app still throws an exception on the first registry read - permission denied. Mr. Bird can't access HKLM via Regedit over the network either. Of course, all of this works if I put Mr. Bird into Moe's Administrators group, but I don't want end-users with that level of power.

What am I missing? There's probably a good article that I'm not finding. Help please!

Question by:mooseguy57
    LVL 51

    Accepted Solution

    I think there's one more step to complete.

    Computer Config>Windows Settings>Security Settings>Security Options::

    >> Network Access: Remotely accessible registry paths
    >> Network Access: Remotely accessible registry paths and sub-paths

    I think one or both of these need some attention on "Moe".


    Author Comment

    Thanks Netman66. I'll test this today and let you know.


    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
    Learn about cloud computing and its benefits for small business owners.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now