Create a registry key without permissions

Hello everyone,

I am trying to make a script that creates a registry key with certain permissions and others not.

But I am facing a problem … The registry key is created well, and rights are properly attributed.
But the concern is: Even users who are “Deny” to “Full Control” (Everyone in this case one) can change permissions … And suddenly switch from “Deny” in “Access” and I remove the key …

I had to think about changing the owner (because here I have the impression that the owner is the person who is connected because the script starts the account login), which may prevent this but will allow I can not do …

Here my script …

Set-ExecutionPolicy RemoteSigned
New-Item HKCU:\Software\LockyTest
Get-Acl HKCU:\Software\LockyTestTest

$acl = Get-Acl HKCU:\Software\LockyTest
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(“Everyone”,”FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Deny”)
$rule1 = New-Object System.Security.AccessControl.RegistryAccessRule("ad-admin","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$acl.AddAccessRule($rule1)
Set-Acl HKCU:\Software\LockyTest $acl
Get-Acl HKCU:\Software\LockyTest | Format-List

Thank you for your help

Hello, you might want to remove all the access rules, strip inheritance and set rules after that. At least that worked for me.

# Remove inheritance
    $acl = Get-Acl $td.FullName
    $acl.SetAccessRuleProtection($true,$true)
    Set-Acl $td.FullName $acl

    # Remove ACL
    $acl = Get-Acl $td.FullName
    $acl.Access | %{$acl.RemoveAccessRule($_)} | Out-Null

    # Add local admin
    $permission  = "domain\domain admins","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.SetAccessRule($rule)

Like that ?

Set-ExecutionPolicy RemoteSigned
New-Item HKCU:\Software\LockyTest
Get-Acl HKCU:\Software\LockyTestTest

$acl = Get-Acl HKCU:\Software\LockyTest

# Remove inheritance
    $acl = Get-Acl $td.FullName
    $acl.SetAccessRuleProtection($true,$true)
    Set-Acl $td.FullName $acl

# Remove ACL
    $acl = Get-Acl $td.FullName
    $acl.Access | %{$acl.RemoveAccessRule($_)} | Out-Null
    
# Add local admin
    $permission  = "domain\domain admins","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.SetAccessRule($rule) 

Sorry, my powershell is not good :frowning: