none
Problems setting Registry Permissions via GPO

    Question

  • Hi,

    At some time in the past someone locked down the following reg key via GPO:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AcroExch.Document
    They set perms such that:
    Domain Admins = Full Control
    Domain Users = Read Only
    All other perms removed.

    This is preventing Adobe Reader from being pushed out via SCCM on 650 PCs.

    If I manually add SYSTEM = Full Control to this key then Reader will install OK.

    If I edit the GPO and add SYSTEM = Full Control (and also add a Domain admin account for testing) to the registry permissions above then this is not applied to the key on the clients following a gpupdate.
    There is nothing reported in the event logs.

    If I manually add SYSTEM = Full Control to the key via regedt32 then run a gpupdate then the permissions are applied correctly via the GPO and the Domain admin account rights are added correctly via the GPO.

    It appears that the GPO does not have rights to change the permissions on the registry key.
    It can only update the key if it already has SYSTEM = Full Control.
    But I need to push out SYSTEM = Full Control to all 650 PCs!!

    How can I get round this or what am I doing wrong?

    Cheers,

    Anthony.

    Saturday, July 03, 2010 12:10 PM

Answers

All replies

  • Hi,

    I could reproduce the same behaviour. You can not change the permission by using group policy directly. However, have a look at a post from Patrik. He describes a tools that you could use in the start up script for these computer. See the following forum entry:

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/87d4ed25-5247-41e4-8bb6-e29a078a1da0

    hope the solves your issue,

    Gunter


    Gunter Danzeisen - Blog: fabrikam.wordpress.com
    • Marked as answer by Bruce-Liu Tuesday, July 06, 2010 7:11 AM
    Saturday, July 03, 2010 3:53 PM
  • Hi,

    Am 03.07.2010 14:10, schrieb Anthony_Livingstone:

    It appears that the GPO does not have rights to change the permissions on the registry key.

    You are right, because GPOs are applied as SYSTEM.

    It can only update the key if it already has SYSTEM = Full Control.

    or at least change

    But I need to push out SYSTEM = Full Control to all 650 PCs!!
    How can I get round this or what am I doing wrong?

    script it manually with a tool e.g. subinacl or setacl

    Mark


    Mark Heitbrink - MVP Windows Server - Group Policy

    Homepage:    www.gruppenrichtlinien.de - deutsch
    NNTP Bridge: http://communitybridge.codeplex.com/releases

    Sunday, July 04, 2010 7:45 PM
  • Hi,

    I am having the same issue. I've configured a GPO to assign an MSI to computers, and also modify a few HKLM registry keys to allow full access for the user.

    The registry changes configured in my GPO do not apply, yet "SYSTEM" already has full access to the keys in question?

    "Product: Siebel ActiveX Components -- Error 1406.Could not write value  to key \SOFTWARE\Classes\caljswrapper.SSCalJSWrapper.  System error .  Verify that you have sufficient access to that key, or contact your support personnel."

    Am I missing something completely obvious?

    Thanks.

    Friday, October 15, 2010 10:34 AM