Unable to set ACL on Remote Registry -Kindly HELP

This topic contains 4 replies, has 2 voices, and was last updated by Profile photo of vineet kandpal vineet kandpal 3 months, 1 week ago.

  • Author
    Posts
  • #52053
    Profile photo of vineet kandpal
    vineet kandpal
    Participant

    Hi All,
    Tried to set ACL on remote registry but it doesn't work. Tested the same code on local computer which works fine. Please help
    objective : Need to assign full permission to "Domain Users" on registry (HKLM\Software\Microsoft) of several remote computers.

    Code :
    Set-ExecutionPolicy unrestricted -Force
    Import-Module -Name psrr -Force

    $servers= Get-Content -Path 'D:\ServerList.txt'

    foreach($pc in $servers)
    {
    write-host "Setting ACL Permission for $PC"
    $RegSec = new-object system.Security.AccessControl.RegistrySecurity
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule("Domain users", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $RegSec.AddAccessRule($rule)

    $RemoteKey = [microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine", $pc)
    $RemoteAccess = $RemoteKey.OpenSubKey("Software\Microsoft", $true)

    $RemoteAccess.SetAccesscontrol($RegSec)
    }

  • #52085
    Profile photo of Aaron Hardy
    Aaron Hardy
    Participant

    Can you confirm if the RemoteRegistry service is running? If it's not, you won't be able to do anything with the registry remotely.

  • #52112
    Profile photo of Aaron Hardy
    Aaron Hardy
    Participant

    Allow me to clarify that the RemoteRegistry service needs to be running on a remote computer before you can do anything with that registry.

  • #52311
    Profile photo of vineet kandpal
    vineet kandpal
    Participant

    Hi Aaron, Thanks for responding.

    Yes, remote registry service is up and running on PC where I am trying to set ACL.
    Also I am domain Admin and I already added my account (from which I am running script ) to administrators group of that PC. when running script for my local PC its works well but for remote PC following exception error I am getting :
    ===========================================================================================================
    BUILTIN\Administrators 01 Allow FullControl...
    Exception calling "SetAccessControl" with "1" argument(s): "The supplied handle is invalid. This can happen when trying to set an ACL on an anonymous kernel object."
    At D:\.............MS Licensing Issue.ps1:18 char:5
    + $RemoteAccess.SetAccesscontrol($RegSec)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : NotSupportedException

    ===========================================================================================================

    Please help

  • #52665
    Profile photo of vineet kandpal
    vineet kandpal
    Participant

    **************************** 🙂 🙂 🙂 **************************************

    GUYS found the solution after 4-5 days of permutations and combinations and guess what !!! it was very simple though tricky
    Here it is : —
    ===============================================================================================================
    Invoke-Command -ComputerName "" -ScriptBlock{
    $acl= get-acl -path "hklm:\SOFTWARE\Microsoft"
    $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
    $propagation = [system.security.accesscontrol.PropagationFlags]"None"
    $rule= New-Object System.Security.AccessControl.RegistryAccessRule("Domain users", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.addaccessrule($rule)
    $acl|set-acl
    }
    ===============================================================================================================

You must be logged in to reply to this topic.