Freigeben über

SET-ACL on registry key

  • Artikel

Man it was hard to find info on using set-acl on a registry key!   I was looking for a way to set an ACL that once set would be inherited by child keys and values.    We needed to give “Local Service” full control on the registry key below and have the subkeys inherit the permission.  You might say:  “Why not use SUBINACL?”, well due to a bug or by design SUBINACL doesn’t work for WIN7 server core (probably should look into that).  Besides, why call an exe when you can do it natively in PS.  Anyways here is the code that ended up working.  Hope next time someone goes looking for this it’ll be the first hit.

 

PS C:\> $acl= get-acl -path "hklm:\SOFTWARE\Microsoft\Reliability Analysis"

PS C:\> $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"

PS C:\> $propagation = [system.security.accesscontrol.PropagationFlags]"None"

PS C:\> $rule=new-object system.security.accesscontrol.registryaccessrule "LOCAL SERVICE","FullControl",$inherit,$propagation,"Allow"

PS C:\> $acl.addaccessrule($rule)

PS C:\> $acl|set-acl

And the output of GET-ACL shows local service now:

PS C:\> get-acl -path "hklm:\SOFTWARE\Microsoft\Reliability Analysis" | fl <—Verifying that it got set.

Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis

Owner : BUILTIN\Administrators

Group : DOMAIN\Domain Users

Access : NT AUTHORITY\LOCAL SERVICE Allow FullControl

         BUILTIN\Users Allow ReadKey

         BUILTIN\Users Allow -2147483648

         BUILTIN\Administrators Allow FullControl

         BUILTIN\Administrators Allow 268435456

         NT AUTHORITY\SYSTEM Allow FullControl

         NT AUTHORITY\SYSTEM Allow 268435456

         CREATOR OWNER Allow 268435456

Audit :

Sddl : O:BAG:DUD:AI(A;OICI;KA;;;LS)(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)

Comments

  • Anonymous
    January 01, 2003
    PingBack from http://powerscripting.wordpress.com/2008/10/05/episode-44-tobias-weltner-gives-an-inside-look-at-powershell-plus/

  • Anonymous
    January 01, 2003
    Thanks for sharing I was struggling with this!! Cheers

  • Anonymous
    February 20, 2010
    Great. Following your blog my script made a big step forward. Thank's a lot

  • Anonymous
    June 12, 2014
    Thank you! Thanks for sharing this great tool!

  • Anonymous
    March 27, 2015
    This does not apply permissions to subkeys.

  • Anonymous
    January 19, 2016
    Thank You! I've tried so many different approaches without luck, and did not want to use subinacl. This works a sa charm and also supports setting acl's for IIS AppPool.