New-CMRegistryAccessControlEntry

Create a registry key access control entry.

Syntax

New-CMRegistryAccessControlEntry
   [-AccessOption <AccessType>]
   -GroupOrUserName <String>
   [-Permission <RegistryPermissions[]>]
   [-DisableWildcardHandling]
   [-ForceWildcardHandling]
   [<CommonParameters>]

Description

Use this cmdlet to create an access control entry (ACE) for a registry key. An access control entry defines specific permissions for a specific user or group. You can use this object with the New-CMRequirementRuleRegistryKeyPermissionValue cmdlet to create a requirement rule on an application deployment type that verifies registry key permissions.

Note

Run Configuration Manager cmdlets from the Configuration Manager site drive, for example PS XYZ:\>. For more information, see getting started.

Examples

Example 1: Add a requirement rule for registry key permissions

This example first uses the Get-CMGlobalCondition cmdlet to get a custom global condition. Then it creates two access control entries for specific users. Next it uses the New-CMRequirementRuleRegistryKeyPermissionValue cmdlet to create the requirement rule object. Finally it passes that rule object to the Set-CMScriptDeploymentType cmdlet to add the requirement.

$myGC = Get-CMGlobalCondition -Name "LOB app registry key"

$userName = "contoso\jqpublic"
$ce = New-CMRegistryAccessControlEntry -GroupOrUserName $userName -AccessOption Allow -Permission Read,Write

$userName2 = "contoso\jdoe"
$ce2 = New-CMRegistryAccessControlEntry -GroupOrUserName $userName2 -AccessOption Allow -Permission Read

$myRule = $myGC | New-CMRequirementRuleRegistryKeyPermissionValue -Exclusive $false -ControlEntry $ce,$ce2

Set-CMScriptDeploymentType -ApplicationName "Central app" -DeploymentTypeName "Install" -AddRequirement $myRule

Parameters

-AccessOption

Specify whether this ACE is to Allow or Deny access.

Type:AccessType
Accepted values:Allow, Deny
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DisableWildcardHandling

This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ForceWildcardHandling

This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-GroupOrUserName

Specify the group or user name for this ACE. Use standard "domain\name" format. For example, contoso\jqpublic or "nwtraders\All IT Users".

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Permission

Specify an array of one or more permissions for this ACE. Use the AccessOption parameter to specify whether these permissions Allow or Deny access.

Type:RegistryPermissions[]
Aliases:Permissions
Accepted values:ChangePermissions, CreateLink, CreateSubkey, Delete, EnumerateSubkeys, FullControl, Notify, QueryValue, Read, ReadPermissions, SetValue, TakeOwnership, Write
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

None

Outputs

System.Object