Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, September 11, 2014 8:53 AM
Hi,
I'm trying to workout how to remove certain access eg everyone read access to a test registry key via powershell and at a loss code listed below:
Thanks in advance
Function RemovePermission()
{
$acl = Get-Acl HKCU:\SOFTWARE\TESTKEY
$rule = New-Object System.Security.AccessControl.RegistryAccessRule("EVERYONE","WriteKey","Allow")
$acl.RemoveAccessRule($rule)
$acl| set-acl -path "HKCU:\SOFTWARE\TESTKEY"
set-acl HKCU:\Software\TESTKEY $acl get-acl -Path 'HKCU:\SOFTWARE\TESTKEY' | fl
}
All replies (4)
Thursday, September 11, 2014 12:59 PM âś…Answered | 1 vote
If you're trying to simply remove 'Everyone' from the DACL (the 'Access' property), try the PurgeAccessRules() method:
$Acl.PurgeAccessRules([System.Security.Principal.NTAccount] "Everyone")
If you only want to remove 'Allow' (or 'Deny') permissions, you could use the RemoveAccessRuleAll() method. If I recall correctly, it should check the principal and the access type of the rule you pass into it and remove any ACEs that match those:
$Acl.RemoveAccessRuleAll($Rule)
You're currently using RemoveAccessRule(), which removes only the access listed in the rule. Since the rule you've created doesn't include inheritance and propagation flags, the rule only applies to the registry key. For example, if the key in question currently has 'Allow WriteKey' for 'Everyone' and it applies to the key and all subkeys, calling RemoveAccessRule() like you are doing will leave an ACE that has 'Allow WriteKey' for 'Everyone' that applies to all subkeys (but not the key itself). To fix that, you could create your rule this way:
$Rule = New-Object System.Security.AccessControl.RegistryAccessRule(
"Everyone",
"WriteKey", # RegistryRights
"ContainerInherit, ObjectInherit", # Inheritance flags
"None", # Propagation flags
"Allow"
)
Thursday, September 11, 2014 9:02 AM
What is not working? Using your code worked for me, "WriteKey" removes the "Set Value", "Create Subkey" & "Read Control" permissions for the Everyone group.
Thursday, September 11, 2014 9:04 AM
The everyone group is not going from the list that is my aim of the code. So if doing this manually, we would highlight everyone group in the permissions and then click on remove and it would go from the list.
Thursday, September 11, 2014 11:03 AM
I can't seem to find a way to remove the group entirely without having to remove all of the permissions it has assigned individually. Is there any reason it needs to be in a script rather than being controlled through Group Policy?