Problem setting registry permissions using Powershell

I have a couple of scripts that I have put together to change the registry value of a specific key in the registry.  This primarily is being done on our Windows 7 machines as the XP setup is slightly different and this change is not needed.

The first part of the script calls the below segment after it sets folder permissions.

	Write-Host "Executing Registry Changes:" -ForeGroundColor Red
	invoke-command -computername $strComputer -filepath \\PATH\SetMESPermissionsReg.ps1
	Write-Host "Registry Change Script Complete." -ForeGroundColor Red


The contents of SetMESPermissionsReg.ps1 are:

$acl = Get-Acl HKLM:\SOFTWARE\NewMes
		Write-Host "Opening Registry key for write" -ForeGroundColor Cyan
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT Authority\Authenticated Users","FullControl","Allow")
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path HKLM:\SOFTWARE\NewMes
		Write-Host "Permissions have been set!" -ForeGroundColor Green

After running this, everything seems to work fine except the program errors out upon running it.  When I check the permissions of the registry key, I notice that it sets full control but not at the top-level... it only sets it under special permissions as shown in the screenshot below.  If I go into regedit and check the box for full control at the first permissions screen, clearing the special permissions flag, everything works as it should.  How do I set the top-level Full Control option through PowerShell so that someone can do the installs without having to (or know how to) change anything?

July 27th, 2012 12:18pm

Hi Sharkck, I was playing with a similar script but for files/folders and having similar issue, try swapping your rule line for:

$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT Authority\Authenticated Users","FullControl",ContainerInherit,ObjectInherit,None,Allow)

In my case the issue seemed to be the inheritance would not propagating to the directory and only apply to the object, causing it to stick with the special permission instead of Full control.

I tested on a couple of Reg directories and keys and seems to work ok
  • Proposed as answer by tresstylez 15 hours 27 minutes ago
Free Windows Admin Tool Kit Click here and download it now
August 1st, 2012 9:12pm

Hi Sharkck, I was playing with a similar script but for files/folders and having similar issue, try swapping your rule line for:

$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT Authority\Authenticated Users","FullControl",ContainerInherit,ObjectInherit,None,Allow)

In my case the issue seemed to be the inheritance would not propagating to the directory and only apply to the object, causing it to stick with the special permission instead of Full control.

I tested on a couple of Reg directories and keys and seems to work ok
  • Proposed as answer by tresstylez Wednesday, May 20, 2015 3:43 PM
August 1st, 2012 9:12pm

This suggestion helped me figure out a very frustrating issue.  Thanks, Rod!

Free Windows Admin Tool Kit Click here and download it now
May 20th, 2015 11:48am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics