4

I am trying to create a startup script that can be distributed via GPO to laptops (running 64bit Windows 7 Professional) to make it impossible for any user (including local administrators) to display the passwords for connected wireless networks. I have this done mostly but cannot figure out how to remove Users/Groups from the security entries on the key.

This is what I have so far, it basically defines variables and changes the ownership of the key to the local "Administrators" group.

$hkey = "HKEY_CLASSES_ROOT\AppID\{86F80216-5DD6-4F43-953B-35EF40A35AEE}"
$exe = "\\server\share\SetACL.exe"
& $exe -on $hkey -ot reg -actn setowner -ownr n:'Administrators'

The end result of the script should remove "BUILTIN\Administrators", "BUILTIN\Users", "SERVICE\TrustedInstaller" from Security entries, leaving only "BUILTIN\SYSTEM" with read permissions, and then taking permission away from SYSTEM and giving them to BUILTIN\Administrators. This configuration has been tested and works.

In order to use get-acl you have to map a ps-drive to the hkcr hive (because it's an alias that points to both {hklm,hkcu}\SOFTWARE\Classes?) so I have this for that, if get-acl is even needed to remove permissions:

New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
$dkey = "HKCR:\AppID\{86F80216-5DD6-4F43-953B-35EF40A35AEE}"
$acl = get-acl $dkey

I have found so much on the internet about adding deny permissions but I do not want to add deny, I just want to remove the entries as if clicking "remove" through properties>security.

Thanks!

bradford
  • 41
  • 1
  • 4
  • 3
    You shouldn't really need to map a PSDrive. Updating the location `'HKLM:\SOFTWARE\Classes\AppID\{86F80216-5DD6-4F43-953B-35EF40A35AEE}\'` should work. - `I have decided to give permissions to "Domain Admins"` - Generally it is better to assign permissions to local groups, not domain groups. That way things won't break if you lose access to the domain on that machine. – Zoredache Aug 11 '16 at 19:46
  • I understand and agree with your point but I was thinking giving local administrators ownership would grant them read access to the key, which I want to take away from them, but now that I think about it the ownership should just give them the ability to change permissions on the key, not to read it, which is not a problem. – bradford Aug 11 '16 at 20:11
  • 2
    Also, keep in mind that no matter what permissions you set, local administrators can always take ownership of any local object and "fix" the permissions so they can read/write/etc. – Ryan Bolger Aug 11 '16 at 22:33
  • What's your concern about adding a deny to the ACL? – Geo Aug 11 '16 at 23:42
  • First instinct was, 'Use Set-ACL'. Second is, 'This is a job for GPO.' – Jeter-work Aug 31 '16 at 17:22
  • Group policy can natively set registry permissions via Computer Configuration->Policies->Windows Settings->Security Settings->Registry – Rob Feb 08 '21 at 18:28

1 Answers1

0

Here is a sample code to remove a specific user from a Registry Key

$acl = Get-Acl -Path HKLM:\SOFTWARE\Rajiv

$AccessRule = New-Object System.Security.AccessControl.RegistryAccessRule ("MYPC\TEST", "FullControl", "Allow")    

$acl.RemoveAccessRuleAll($AccessRule)

$acl | Set-Acl -Path HKLM:\SOFTWARE\Rajiv

The above code removes the user "MYPC\TEST" user from the permission set of HKLM:\SOFTWARE\Rajiv Key

Manage File System ACL's using Powershell

Rajiv Iyer
  • 157
  • 9