Author Posts

April 12, 2016 at 11:18 pm

Hello everyone,

I am trying to make a script that creates a registry key with certain permissions and others not.

But I am facing a problem ... The registry key is created well, and rights are properly attributed.
But the concern is: Even users who are "Deny" to "Full Control" (Everyone in this case one) can change permissions ... And suddenly switch from "Deny" in "Access" and I remove the key ...

I had to think about changing the owner (because here I have the impression that the owner is the person who is connected because the script starts the account login), which may prevent this but will allow I can not do ...

Here my script ...

Set-ExecutionPolicy RemoteSigned
New-Item HKCU:\Software\LockyTest
Get-Acl HKCU:\Software\LockyTestTest

$acl = Get-Acl HKCU:\Software\LockyTest
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(“Everyone”,”FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Deny”)
$rule1 = New-Object System.Security.AccessControl.RegistryAccessRule("ad-admin","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$acl.AddAccessRule($rule1)
Set-Acl HKCU:\Software\LockyTest $acl
Get-Acl HKCU:\Software\LockyTest | Format-List

Thank you for your help

April 12, 2016 at 11:39 pm

Hello, you might want to remove all the access rules, strip inheritance and set rules after that. At least that worked for me.

# Remove inheritance
    $acl = Get-Acl $td.FullName
    $acl.SetAccessRuleProtection($true,$true)
    Set-Acl $td.FullName $acl

    # Remove ACL
    $acl = Get-Acl $td.FullName
    $acl.Access | %{$acl.RemoveAccessRule($_)} | Out-Null

    # Add local admin
    $permission  = "domain\domain admins","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.SetAccessRule($rule)

April 12, 2016 at 11:44 pm

Like that ?

Set-ExecutionPolicy RemoteSigned
New-Item HKCU:\Software\LockyTest
Get-Acl HKCU:\Software\LockyTestTest

$acl = Get-Acl HKCU:\Software\LockyTest

# Remove inheritance
    $acl = Get-Acl $td.FullName
    $acl.SetAccessRuleProtection($true,$true)
    Set-Acl $td.FullName $acl

# Remove ACL
    $acl = Get-Acl $td.FullName
    $acl.Access | %{$acl.RemoveAccessRule($_)} | Out-Null
    
# Add local admin
    $permission  = "domain\domain admins","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.SetAccessRule($rule) 

Sorry, my powershell is not good 🙁