Grat End-User Rights to Remotely Modify an HKLM Registry Key
Posted on 2006-03-24
Hi all. I've written a VB.Net application that synchronizes some data with a .Net service via an HKLM registry key on a member server (Windows Server 2003) that I'll call Moe.
Non-domain admins end-users must be able to read and write the key. The key on Moe looks something like....
They need to read/write values in OurStuff. I can't get it to work. Here is what I've done....
Created AD Global Group "OurStuffOps"
Placed the appropriate users and groups in "OurStuffOps"
Created a domain GPO called "OurStuffOps Policy." Linked it to the OU that Moe is in. Gave rights to the Moe$ computer object to apply the group policy.
In the computer branch of "OurStuffOps Policy" I set "Access this computer from the network" to the "OurStuffOps" group. I set the following ACE's on registry keys...
HKLM = Read (this key only) for the "OurStuffOps" group.
HKLM\SOFTWARE = Read (this key only) for the "OurStuffOps" group.
HKLM\SOFTWARE\OurStuff = Full Control (this key and subkeys) for the "OurStuffOps" group.
(Note: Also tried full control for HKLM and HKLM\SOFTWARE. I also tried it for keys/subkeys)
Of course I ran GPUPDATE /FORCE on Moe. I verified via Regedt that the new permissions have taken effect on Moe's keys. I checked secpol.msc on Moe to verify that the "OurStuffOps" group now has "access this computer from the network."
While logged in as my test end user (Larry Bird) the VB.Net app still throws an exception on the first registry read - permission denied. Mr. Bird can't access HKLM via Regedit over the network either. Of course, all of this works if I put Mr. Bird into Moe's Administrators group, but I don't want end-users with that level of power.
What am I missing? There's probably a good article that I'm not finding. Help please!