We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Grat End-User Rights to Remotely Modify an HKLM Registry Key

mooseguy57 asked
Medium Priority
Last Modified: 2012-05-05
Hi all. I've written a VB.Net application that synchronizes some data with a .Net service via an HKLM registry key on a member server (Windows Server 2003) that I'll call Moe.

Non-domain admins end-users must be able to read and write the key. The key on Moe looks something like....

They need to read/write values in OurStuff. I can't get it to work. Here is what I've done....

Created AD Global Group "OurStuffOps"
Placed the appropriate users and groups in "OurStuffOps"
Created a domain GPO called "OurStuffOps Policy." Linked it to the OU that Moe is in. Gave rights to the Moe$ computer object to apply the group policy.

In the computer branch of "OurStuffOps Policy" I set "Access this computer from the network" to the "OurStuffOps" group. I set the following ACE's on registry keys...

HKLM = Read (this key only) for the "OurStuffOps" group.
HKLM\SOFTWARE = Read (this key only) for the "OurStuffOps" group.
HKLM\SOFTWARE\OurStuff = Full Control (this key and subkeys) for the "OurStuffOps" group.

(Note: Also tried full control for HKLM and HKLM\SOFTWARE. I also tried it for keys/subkeys)

Of course I ran GPUPDATE /FORCE on Moe. I verified via Regedt that the new permissions have taken effect on Moe's keys. I checked secpol.msc on Moe to verify that the "OurStuffOps" group now has "access this computer from the network."

While logged in as my test end user (Larry Bird) the VB.Net app still throws an exception on the first registry read - permission denied. Mr. Bird can't access HKLM via Regedit over the network either. Of course, all of this works if I put Mr. Bird into Moe's Administrators group, but I don't want end-users with that level of power.

What am I missing? There's probably a good article that I'm not finding. Help please!

Watch Question

Top Expert 2005
I think there's one more step to complete.

Computer Config>Windows Settings>Security Settings>Security Options::

>> Network Access: Remotely accessible registry paths
>> Network Access: Remotely accessible registry paths and sub-paths

I think one or both of these need some attention on "Moe".

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Thanks Netman66. I'll test this today and let you know.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.