Unable to set ACL on Remote Registry -Kindly HELP

Hi All,
Tried to set ACL on remote registry but it doesn’t work. Tested the same code on local computer which works fine. Please help
objective : Need to assign full permission to “Domain Users” on registry (HKLM\Software\Microsoft) of several remote computers.

Code :
Set-ExecutionPolicy unrestricted -Force
Import-Module -Name psrr -Force

$servers= Get-Content -Path ‘D:\ServerList.txt’

foreach($pc in $servers)
{
write-host “Setting ACL Permission for $PC”
$RegSec = new-object system.Security.AccessControl.RegistrySecurity
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(“Domain users”, “FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)
$RegSec.AddAccessRule($rule)

$RemoteKey = [microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine", $pc)
$RemoteAccess = $RemoteKey.OpenSubKey("Software\Microsoft", $true)

$RemoteAccess.SetAccesscontrol($RegSec)     

}

Can you confirm if the RemoteRegistry service is running? If it’s not, you won’t be able to do anything with the registry remotely.

Allow me to clarify that the RemoteRegistry service needs to be running on a remote computer before you can do anything with that registry.

Hi Aaron, Thanks for responding.

Yes, remote registry service is up and running on PC where I am trying to set ACL.
Also I am domain Admin and I already added my account (from which I am running script ) to administrators group of that PC. when running script for my local PC its works well but for remote PC following exception error I am getting :

                                                         BUILTIN\Administrators                                       01 Allow  FullControl...                      

Exception calling “SetAccessControl” with “1” argument(s): “The supplied handle is invalid. This can happen when trying to set an ACL on an anonymous kernel object.”
At D:.…MS Licensing Issue.ps1:18 char:5

  • $RemoteAccess.SetAccesscontrol($RegSec)
    
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:slight_smile: , MethodInvocationException
    • FullyQualifiedErrorId : NotSupportedException

===========================================================================================================

Please help

**************************** :slight_smile: :slight_smile: :slight_smile: **************************************

GUYS found the solution after 4-5 days of permutations and combinations and guess what !!! it was very simple though tricky
Here it is : —

Invoke-Command -ComputerName “” -ScriptBlock{
$acl= get-acl -path “hklm:\SOFTWARE\Microsoft”
$inherit = [system.security.accesscontrol.InheritanceFlags]“ContainerInherit, ObjectInherit”
$propagation = [system.security.accesscontrol.PropagationFlags]“None”
$rule= New-Object System.Security.AccessControl.RegistryAccessRule(“Domain users”, “FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)
$acl.addaccessrule($rule)
$acl|set-acl
}