There is a registry key on Win Server 2008 R2,
HKCR:\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
whose owner is not Administrator. It is TrustedInstaller. Now to make Remote DCOM/WMI connection working, I need to give Administrator the permission to have Full Control over this key and ownership as well. As this needs to be done on several machines, I was hoping I could do this using Powershell. I followed these
Controlling Registry ACL Permissions with Powershell
Change the owner of directories with powershell
but I still get this error
Exception calling "OpenSubKey" with "3" argument(s): "Requested registry access is not allowed."
The code I am trying to run is simple
$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
"CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::TakeOwnership
)
echo $key
Any ideas on how to change ownership of this key? I believe once the ownership is changed to Administrator, I will be able to change permissions using Set-Acl.
I was able to achieve this in powershell using the following script
# Checking OS Version and changing Registry Key permissions accordingly. We do need
# to change reg-key ownership for Win Server 2008, but in 2008 R2, owner of one of
# the required keys is TrustedInstaller instead of Administrator. Thus we need to
# change the owner back to Admin in order to make any changes to that key.
echo "Checking Operating System Version..."
$cv = (gi "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion")
$wv = $cv.GetValue("ProductName")
echo "$wv"
# Mounting HKey_ClassesRoot Registry key as a drive - Silent
New-PSDrive -name HKCR -PSProvider Registry -root HKEY_CLASSES_ROOT | Out-Null
$acl = Get-Acl "HKCR:\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}"
$owner = $acl.Owner
# Case 48188: Because Windows has server version like Windows Web Server 2008 R2, we
# cannot validate the version name using "Windows Server 2008 R2". We will only
# check if the name contains "Server 2008 R2".
if($wv.Contains("Server 2008 R2") -and !$owner.Contains("Administrators"))
{
echo "Setting Administrators Group privileges in Windows Registry..."
$boolResult = enable-privilege SeTakeOwnershipPrivilege
if(-not $boolResult)
{
echo "Privileges could not be elevated. Changing ownership of the registry"
echo "key would fail. Please change ownership of key"
echo "HKCR\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} to Administrators"
echo "Group manually."
return
}
$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
"CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::takeownership
)
# You must get a blank acl for the key b/c you do not currently have access
$acl = $key.GetAccessControl(
[System.Security.AccessControl.AccessControlSections]::None
)
$owner = [System.Security.Principal.NTAccount]"Administrators"
$acl.SetOwner($owner)
$key.SetAccessControl($acl)
# After you have set owner you need to get the acl with the perms so you can
# modify it.
$acl = $key.GetAccessControl()
$person = [System.Security.Principal.NTAccount]"Administrators"
$access = [System.Security.AccessControl.RegistryRights]"FullControl"
$inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit"
$propagation = [System.Security.AccessControl.PropagationFlags]"None"
$type = [System.Security.AccessControl.AccessControlType]"Allow"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(
$person,$access,$inheritance,$propagation,$type
)
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
$key.Close()
echo "Administrators Group ownership privileges set."
}