none
Break Permission Inheritance In Regisry RRS feed

  • Question

  • Hello,

    New to powershell.  I need a command that will break the permission inheritance at a specific key level in the registry and copy the existing inherited permissions to that key.  I find lots of examples for file/folders, but not the registry. 

    Thanks

    Wednesday, October 11, 2017 8:17 PM

Answers

  • Breaking inheritance works the same in the registry as with files .  Just use "SetRuleProtection".


    \_(ツ)_/

    Wednesday, October 11, 2017 9:05 PM
  • Ok, thanks. Got this..

    #first, set the target for the perms change
    $regtarget = "HKLM:\software\microsoft\windows nt\currentversion\winlogon\Target"
    #Store existing perms
    $acl= Get-Item $regtarget | Get-Acl
    #Now break inheritace but write in existing perms 
    $acl.SetAccessRuleProtection($true,$true)
    $acl | Set-Acl 

    Wednesday, October 11, 2017 11:16 PM
  • In the method...

    $acl.SetAccessRuleProtection($true,$true)

    Why do we use the ($true,$true) modifier?

    found msdn_microsoft_com/en-us/library/system.security.accesscontrol.objectsecurity.setaccessruleprotection%28v=vs.110%29.aspx?f=255&MSPPError=-2147217396

    So the first Boolean true tell system it is 'true' we want to protect the object from inheritance and the second tells the system it is 'true' we want to maintain existing permissions.  Correct?

    Wednesday, October 11, 2017 11:20 PM

All replies

  • Breaking inheritance works the same in the registry as with files .  Just use "SetRuleProtection".


    \_(ツ)_/

    Wednesday, October 11, 2017 9:05 PM
  • Ok, thanks. Got this..

    #first, set the target for the perms change
    $regtarget = "HKLM:\software\microsoft\windows nt\currentversion\winlogon\Target"
    #Store existing perms
    $acl= Get-Item $regtarget | Get-Acl
    #Now break inheritace but write in existing perms 
    $acl.SetAccessRuleProtection($true,$true)
    $acl | Set-Acl 

    Wednesday, October 11, 2017 11:16 PM
  • In the method...

    $acl.SetAccessRuleProtection($true,$true)

    Why do we use the ($true,$true) modifier?

    found msdn_microsoft_com/en-us/library/system.security.accesscontrol.objectsecurity.setaccessruleprotection%28v=vs.110%29.aspx?f=255&MSPPError=-2147217396

    So the first Boolean true tell system it is 'true' we want to protect the object from inheritance and the second tells the system it is 'true' we want to maintain existing permissions.  Correct?

    Wednesday, October 11, 2017 11:20 PM