Unable to set ACL on Remote Registry -Kindly HELP

This topic contains 4 replies, has 2 voices, and was last updated by  vineet kandpal 1 year, 1 month ago.

  • Author
    Posts
  • #52053

    vineet kandpal
    Participant

    Hi All,
    Tried to set ACL on remote registry but it doesn't work. Tested the same code on local computer which works fine. Please help
    objective : Need to assign full permission to "Domain Users" on registry (HKLM\Software\Microsoft) of several remote computers.

    Code :
    Set-ExecutionPolicy unrestricted -Force
    Import-Module -Name psrr -Force

    $servers= Get-Content -Path 'D:\ServerList.txt'

    foreach($pc in $servers)
    {
    write-host "Setting ACL Permission for $PC"
    $RegSec = new-object system.Security.AccessControl.RegistrySecurity
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule("Domain users", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $RegSec.AddAccessRule($rule)

    $RemoteKey = [microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine", $pc)
    $RemoteAccess = $RemoteKey.OpenSubKey("Software\Microsoft", $true)

    $RemoteAccess.SetAccesscontrol($RegSec)
    }

  • #52085

    Aaron Hardy
    Participant

    Can you confirm if the RemoteRegistry service is running? If it's not, you won't be able to do anything with the registry remotely.

  • #52112

    Aaron Hardy
    Participant

    Allow me to clarify that the RemoteRegistry service needs to be running on a remote computer before you can do anything with that registry.

  • #52311

    vineet kandpal
    Participant

    Hi Aaron, Thanks for responding.

    Yes, remote registry service is up and running on PC where I am trying to set ACL.
    Also I am domain Admin and I already added my account (from which I am running script ) to administrators group of that PC. when running script for my local PC its works well but for remote PC following exception error I am getting :
    ===========================================================================================================
    BUILTIN\Administrators 01 Allow FullControl...
    Exception calling "SetAccessControl" with "1" argument(s): "The supplied handle is invalid. This can happen when trying to set an ACL on an anonymous kernel object."
    At D:\.............MS Licensing Issue.ps1:18 char:5
    + $RemoteAccess.SetAccesscontrol($RegSec)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : NotSupportedException

    ===========================================================================================================

    Please help

  • #52665

    vineet kandpal
    Participant

    **************************** 🙂 🙂 🙂 **************************************

    GUYS found the solution after 4-5 days of permutations and combinations and guess what !!! it was very simple though tricky
    Here it is : —
    ===============================================================================================================
    Invoke-Command -ComputerName "" -ScriptBlock{
    $acl= get-acl -path "hklm:\SOFTWARE\Microsoft"
    $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
    $propagation = [system.security.accesscontrol.PropagationFlags]"None"
    $rule= New-Object System.Security.AccessControl.RegistryAccessRule("Domain users", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.addaccessrule($rule)
    $acl|set-acl
    }
    ===============================================================================================================

You must be logged in to reply to this topic.