Author Posts

August 26, 2016 at 8:59 am

Hi All,
Tried to set ACL on remote registry but it doesn't work. Tested the same code on local computer which works fine. Please help
objective : Need to assign full permission to "Domain Users" on registry (HKLM\Software\Microsoft) of several remote computers.

Code :
Set-ExecutionPolicy unrestricted -Force
Import-Module -Name psrr -Force

$servers= Get-Content -Path 'D:\ServerList.txt'

foreach($pc in $servers)
{
write-host "Setting ACL Permission for $PC"
$RegSec = new-object system.Security.AccessControl.RegistrySecurity
$rule = New-Object System.Security.AccessControl.RegistryAccessRule("Domain users", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$RegSec.AddAccessRule($rule)

$RemoteKey = [microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine", $pc)
$RemoteAccess = $RemoteKey.OpenSubKey("Software\Microsoft", $true)

$RemoteAccess.SetAccesscontrol($RegSec)
}

August 26, 2016 at 2:06 pm

Can you confirm if the RemoteRegistry service is running? If it's not, you won't be able to do anything with the registry remotely.

August 26, 2016 at 3:15 pm

Allow me to clarify that the RemoteRegistry service needs to be running on a remote computer before you can do anything with that registry.

August 29, 2016 at 5:44 am

Hi Aaron, Thanks for responding.

Yes, remote registry service is up and running on PC where I am trying to set ACL.
Also I am domain Admin and I already added my account (from which I am running script ) to administrators group of that PC. when running script for my local PC its works well but for remote PC following exception error I am getting :
===========================================================================================================
BUILTIN\Administrators 01 Allow FullControl...
Exception calling "SetAccessControl" with "1" argument(s): "The supplied handle is invalid. This can happen when trying to set an ACL on an anonymous kernel object."
At D:\.............MS Licensing Issue.ps1:18 char:5
+ $RemoteAccess.SetAccesscontrol($RegSec)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : NotSupportedException

===========================================================================================================

Please help

August 31, 2016 at 8:49 am

**************************** 🙂 🙂 🙂 **************************************

GUYS found the solution after 4-5 days of permutations and combinations and guess what !!! it was very simple though tricky
Here it is : —
===============================================================================================================
Invoke-Command -ComputerName "" -ScriptBlock{
$acl= get-acl -path "hklm:\SOFTWARE\Microsoft"
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$rule= New-Object System.Security.AccessControl.RegistryAccessRule("Domain users", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.addaccessrule($rule)
$acl|set-acl
}
===============================================================================================================