SET-ACL on registry key
Man it was hard to find info on using set-acl on a registry key! I was looking for a way to set an ACL that once set would be inherited by child keys and values. We needed to give “Local Service” full control on the registry key below and have the subkeys inherit the permission. You might say: “Why not use SUBINACL?”, well due to a bug or by design SUBINACL doesn’t work for WIN7 server core (probably should look into that). Besides, why call an exe when you can do it natively in PS. Anyways here is the code that ended up working. Hope next time someone goes looking for this it’ll be the first hit.
PS C:\> $acl= get-acl -path "hklm:\SOFTWARE\Microsoft\Reliability Analysis"
PS C:\> $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
PS C:\> $propagation = [system.security.accesscontrol.PropagationFlags]"None"
PS C:\> $rule=new-object system.security.accesscontrol.registryaccessrule "LOCAL SERVICE","FullControl",$inherit,$propagation,"Allow"
PS C:\> $acl.addaccessrule($rule)
PS C:\> $acl|set-acl
And the output of GET-ACL shows local service now:
PS C:\> get-acl -path "hklm:\SOFTWARE\Microsoft\Reliability Analysis" | fl <—Verifying that it got set.
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis
Owner : BUILTIN\Administrators
Group : DOMAIN\Domain Users
Access : NT AUTHORITY\LOCAL SERVICE Allow FullControl
BUILTIN\Users Allow ReadKey
BUILTIN\Users Allow -2147483648
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
CREATOR OWNER Allow 268435456
Audit :
Sddl : O:BAG:DUD:AI(A;OICI;KA;;;LS)(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)
