Managing Registry Permissions with SetACL.exe

Example 1 – Setting Permissions on the Current User’s Hive

SetACL.exe -on "hkcu" -ot reg -actn ace
           -ace "n:domain1\user1;p:full"

Sets ‘full’ permissions on the registry root key ‘HKEY_CURRENT_USER’ for user ‘user1’ in domain ‘domain1’.

Example 2 – Local Machine

SetACL.exe -on "hklm\software\microsoft\policies" -ot reg -actn ace
          -ace "n:domain1.local\user1;p:full"

Sets ‘full’ permissions on the registry key ‘HKEY_LOCAL_MACHINE\Software\Microsoft\Policies’ for user ‘user1’ in domain ‘domain1.local’.

Please note: This example shows that domain names can be specified using their NetBIOS as well as their DNS names.

Example 3.1 – Remote Systems (NetBIOS)

SetACL.exe -on "\\machine2\hklm\software\microsoft\policies" -ot reg -actn ace
           -ace "n:domain1.local\user1;p:full"

Same as the previous example, but accesses the registry on the remote computer ‘machine2’.

Example 3.2 – Remote Systems (DNS)

SetACL.exe -on "\\machine2.domain1.local\hklm\software\microsoft\policies" -ot reg -actn ace
           -ace "n:domain1.local\user1;p:full"

Same as the previous example, but accesses the registry on the remote computer ‘machine2’.

Please note: This example shows that computer names can be specified using their NetBIOS as well as their fully-qualified DNS names.