Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 614
  • Last Modified:

Grat End-User Rights to Remotely Modify an HKLM Registry Key

Hi all. I've written a VB.Net application that synchronizes some data with a .Net service via an HKLM registry key on a member server (Windows Server 2003) that I'll call Moe.

Non-domain admins end-users must be able to read and write the key. The key on Moe looks something like....

They need to read/write values in OurStuff. I can't get it to work. Here is what I've done....

Created AD Global Group "OurStuffOps"
Placed the appropriate users and groups in "OurStuffOps"
Created a domain GPO called "OurStuffOps Policy." Linked it to the OU that Moe is in. Gave rights to the Moe$ computer object to apply the group policy.

In the computer branch of "OurStuffOps Policy" I set "Access this computer from the network" to the "OurStuffOps" group. I set the following ACE's on registry keys...

HKLM = Read (this key only) for the "OurStuffOps" group.
HKLM\SOFTWARE = Read (this key only) for the "OurStuffOps" group.
HKLM\SOFTWARE\OurStuff = Full Control (this key and subkeys) for the "OurStuffOps" group.

(Note: Also tried full control for HKLM and HKLM\SOFTWARE. I also tried it for keys/subkeys)

Of course I ran GPUPDATE /FORCE on Moe. I verified via Regedt that the new permissions have taken effect on Moe's keys. I checked secpol.msc on Moe to verify that the "OurStuffOps" group now has "access this computer from the network."

While logged in as my test end user (Larry Bird) the VB.Net app still throws an exception on the first registry read - permission denied. Mr. Bird can't access HKLM via Regedit over the network either. Of course, all of this works if I put Mr. Bird into Moe's Administrators group, but I don't want end-users with that level of power.

What am I missing? There's probably a good article that I'm not finding. Help please!

1 Solution
I think there's one more step to complete.

Computer Config>Windows Settings>Security Settings>Security Options::

>> Network Access: Remotely accessible registry paths
>> Network Access: Remotely accessible registry paths and sub-paths

I think one or both of these need some attention on "Moe".

mooseguy57Author Commented:
Thanks Netman66. I'll test this today and let you know.


Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now