Create a registry key without permissions

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Florian Schinas Florian Schinas 7 months, 4 weeks ago.

  • Author
    Posts
  • #37624
    Profile photo of Florian Schinas
    Florian Schinas
    Participant

    Hello everyone,

    I am trying to make a script that creates a registry key with certain permissions and others not.

    But I am facing a problem ... The registry key is created well, and rights are properly attributed.
    But the concern is: Even users who are "Deny" to "Full Control" (Everyone in this case one) can change permissions ... And suddenly switch from "Deny" in "Access" and I remove the key ...

    I had to think about changing the owner (because here I have the impression that the owner is the person who is connected because the script starts the account login), which may prevent this but will allow I can not do ...

    Here my script ...

    Set-ExecutionPolicy RemoteSigned
    New-Item HKCU:\Software\LockyTest
    Get-Acl HKCU:\Software\LockyTestTest
    
    $acl = Get-Acl HKCU:\Software\LockyTest
    $acl.SetAccessRuleProtection($True, $False)
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule(“Everyone”,”FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Deny”)
    $rule1 = New-Object System.Security.AccessControl.RegistryAccessRule("ad-admin","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)
    $acl.AddAccessRule($rule1)
    Set-Acl HKCU:\Software\LockyTest $acl
    Get-Acl HKCU:\Software\LockyTest | Format-List

    Thank you for your help

  • #37625

    Hello, you might want to remove all the access rules, strip inheritance and set rules after that. At least that worked for me.

    # Remove inheritance
        $acl = Get-Acl $td.FullName
        $acl.SetAccessRuleProtection($true,$true)
        Set-Acl $td.FullName $acl
    
        # Remove ACL
        $acl = Get-Acl $td.FullName
        $acl.Access | %{$acl.RemoveAccessRule($_)} | Out-Null
    
        # Add local admin
        $permission  = "domain\domain admins","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
        $acl.SetAccessRule($rule)
  • #37626
    Profile photo of Florian Schinas
    Florian Schinas
    Participant

    Like that ?

    Set-ExecutionPolicy RemoteSigned
    New-Item HKCU:\Software\LockyTest
    Get-Acl HKCU:\Software\LockyTestTest
    
    $acl = Get-Acl HKCU:\Software\LockyTest
    
    # Remove inheritance
        $acl = Get-Acl $td.FullName
        $acl.SetAccessRuleProtection($true,$true)
        Set-Acl $td.FullName $acl
    
    # Remove ACL
        $acl = Get-Acl $td.FullName
        $acl.Access | %{$acl.RemoveAccessRule($_)} | Out-Null
        
    # Add local admin
        $permission  = "domain\domain admins","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
        $acl.SetAccessRule($rule) 

    Sorry, my powershell is not good 🙁

You must be logged in to reply to this topic.