Managing Registry Permissions with SetACL.exe
Example 1 – Setting Permissions on the Current User’s Hive
SetACL.exe -on "hkcu" -ot reg -actn ace
-ace "n:domain1\user1;p:full"Sets ‘full’ permissions on the registry root key ‘HKEY_CURRENT_USER’ for user ‘user1’ in domain ‘domain1’.
Example 2 – Local Machine
SetACL.exe -on "hklm\software\microsoft\policies" -ot reg -actn ace
-ace "n:domain1.local\user1;p:full"Sets ‘full’ permissions on the registry key ‘HKEY_LOCAL_MACHINE\Software\Microsoft\Policies’ for user ‘user1’ in domain ‘domain1.local’.
Please note: This example shows that domain names can be specified using their NetBIOS as well as their DNS names.
Example 3.1 – Remote Systems (NetBIOS)
SetACL.exe -on "\\machine2\hklm\software\microsoft\policies" -ot reg -actn ace
-ace "n:domain1.local\user1;p:full"Same as the previous example, but accesses the registry on the remote computer ‘machine2’.
Example 3.2 – Remote Systems (DNS)
SetACL.exe -on "\\machine2.domain1.local\hklm\software\microsoft\policies" -ot reg -actn ace
-ace "n:domain1.local\user1;p:full"Same as the previous example, but accesses the registry on the remote computer ‘machine2’.
Please note: This example shows that computer names can be specified using their NetBIOS as well as their fully-qualified DNS names.
1 Comment
And how would hklm\software\microsoft\policies\newkey gain the same inherit permissions? What is the command to not only take over the key but have its permissions rain over its child objects?