Hello everyone,
I am trying to make a script that creates a registry key with certain permissions and others not.
But I am facing a problem … The registry key is created well, and rights are properly attributed.
But the concern is: Even users who are “Deny” to “Full Control” (Everyone in this case one) can change permissions … And suddenly switch from “Deny” in “Access” and I remove the key …
I had to think about changing the owner (because here I have the impression that the owner is the person who is connected because the script starts the account login), which may prevent this but will allow I can not do …
Here my script …
Set-ExecutionPolicy RemoteSigned New-Item HKCU:\Software\LockyTest Get-Acl HKCU:\Software\LockyTestTest $acl = Get-Acl HKCU:\Software\LockyTest $acl.SetAccessRuleProtection($True, $False) $rule = New-Object System.Security.AccessControl.RegistryAccessRule(“Everyone”,”FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Deny”) $rule1 = New-Object System.Security.AccessControl.RegistryAccessRule("ad-admin","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $acl.AddAccessRule($rule) $acl.AddAccessRule($rule1) Set-Acl HKCU:\Software\LockyTest $acl Get-Acl HKCU:\Software\LockyTest | Format-List
Thank you for your help