Modify registry key permissions with script

Posted on 2007-07-31
Medium Priority
Last Modified: 2012-05-05
I want to grant a specific security group write permissions to a registry key and all sub-keys.  The specific key is HKLM\Software\xyz.  Some workstations will have this key present while others will not.  How should I go about doing this?  Also, is there a way to do this without overwriting the key and all sub-keys?  I've done some research and found that reg.exe seems applicable.

Workstations are Windows XP SP2
Using Windows Server 2003 Active Directory

Many thanks in advance.  
Question by:snoopfrogg
  • 4
  • 2
LVL 22

Assisted Solution

by:Christopher McKay
Christopher McKay earned 400 total points
ID: 19604225
If you're looking to grant permissions to registry keys. perhaps you would appreciate setacl:

It has the ability to change/add/remove permissions from files/folders/registry keys/services. etc

Hope this helps!


LVL 11

Author Comment

ID: 19604393
This looks like exactly what I'm looking for.  And it avoids overwriting the existing key.  Thanks for the reference!  

I'll keep the thread alive and see if other folks have other recommendations or also like SetACL.exe.
LVL 85

Accepted Solution

oBdA earned 1600 total points
ID: 19604534
You can do that with a GPO as well:
Computer Configuration\Windows Settings\Security Settings\Registry
Add the key you need (you don't need to be able to browse to it, you can just enter it as well), and add the group you want to give the permissions as usual.
Apply the GPO to the OU(s) where the clients are you want this applied (doesn't matter if the key is present on all machines or not).
This makes sure that if you add a new machine, you don't have to change the permissions, you just have to move it into the proper OU.
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

LVL 11

Author Comment

ID: 19609514

I'm testing with the method you provided.  I created the key I need to modify with the correct permissions.  I've tried both settings under "Configure this key then" and also the "Do not allow permissions on this key to be replaced" setting but the permissions on the key on my local machine have not changed.  I've run a gpupdate /force, also.  Thoughts?
LVL 85

Expert Comment

ID: 19609679
Make sure the machine you're testing this on is in or below the OU to which you applied the GPO, and that it has the permissions to apply the GPO.
You can use
gpresult /scope computer
to check which policies are applied.
LVL 11

Author Comment

ID: 19609911
When I run gpresult /scope computer, I see the GPO being applied to the workstation.

This is puzzling me.
LVL 11

Author Comment

ID: 19627025

Your method is the route I chose and it worked for me after all.  I'm not sure what caused me to experience the delay in policy delivery initially, but all is well now.  

bartender_1 - Thanks for the reference.  SetACL.exe definitely looks like a useful utility.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question