Setting Registry Access Permissions via Group Policy

PC Repair Tools

Advanced Registry Cleaner PC Diagnosis and Repair

Get Instant Access

In this exercise, we'll step through how to set Registry permissions via Group Policy. For the purposes of this exercise, we'll select the default domain policy. However, in practice, you might apply these settings to an OU, a site, or a domain.

1. Click Start | Run, type mmc in the Open text box, and then click OK to launch the Microsoft MMC.

2. Click File | Add/Remove Snap-in.

3. In the Add/Remove Snap-in dialog, click Add. Scroll through the list until you locate Group Policy Object Editor. Click to select then click Add.

4. The Select Group Policy Object Wizard will launch. The default Group Policy Object (GPO) selected is Local Computer. Click Browse.

5. In the Browse for a Group Policy Object dialog, locate Default Domain Policy on the Domains/OUs tab and then click OK.

6. Click Finish to close the Select Group Policy Object Wizard. Click Close to close the Add Standalone Snap-in dialog. Click OK to close the Add/Remove Snap-in dialog.

7. In the left pane of the MMC, click the + to the left of Default Domain Policy to expand the tree.

8. Click the + to the left of Computer Configuration. In the expanded tree, click the + to expand Windows Settings.

9. Click the + to expand the Security Settings. In the list under Security Settings, locate the Registry node. Click to select the Registry node. If there are no subnodes, the tree will not expand but the + will not be displayed, as shown in Figure 9.15.

Figure 9.15 Registry Node in Group Policy Object Editor Snap-In

Figure 9.15 Registry Node in Group Policy Object Editor Snap-In

10. If any Registry policies exist, you can view or modify them here. If none exists, you can add a key.

11. For this exercise, let's assume you want to limit the ability to run the Regedt32 command. Click Registry, and then on the menu, click Action | Add Key. The dialog, Select Registry Key, is displayed as shown in Figure 9.16.

Figure 9.16 Adding Key to Registry Access

Figure 9.16 Adding Key to Registry Access

12. In the Select Registry Key, three keys are visible: CLASSES_ROOT, MACHINE, and USERS. Click the + to the left of USERS to expand the tree.

13. Click the + to expand .DEFAULT and locate the Software node, as shown in Figure 9.17.

Figure 9.17 Selecting the Software Node

Select Registry Key

Registry:

Selected key:

USERSVDEFAULTVSoftmare rnn

Select Registry Key

Registry:

B-a

( USERS

A

.DEFAULT

i

AppE vents

Console

i

Control Panel

Environment

Identities

i

Keyboard Layout

*

Printers

-

$ Classes

É-

Microsoft

USERSVDEFAULTVSoftmare

Expand the Software node, click the + to the left of the Microsoft node, and scroll down until you locate RegEdt32.

Click RegEdt32 to select it and then click OK. The Database Security for Users\.DEFAULT\Software\Microsoft\RegEdt32

dialog is displayed. You can now view or modify permissions for this key, as shown in Figure 9.18. The Administrators group is selected by default and has Full Control and Read permissions set to Allow by default.

Figure 9.18 View or Modify Permissions for Registry Key

Database Security loi USERSVBEFÀULT\Su[lwdi(AMi...|

Security

Administrators (S MALLBU S INE SS Administrators)

Group oi user names:

CREATOR OWNER fJJ SYSTEM

© Users [SMALLBUSINESSVUsersJ

permissions for Administrators

Allow

Deny

Full Control

El

Read

El

Special Permissions

For special permissions or for advanced settings, click Advanced

For special permissions or for advanced settings, click Advanced

Apply

16. Click Users and notice that in the Default Domain Policy, Users permissions are set to allow Read only, shown in Figure 9.19.

Figure 9.19 Users Permissions Set to Read Only by Default

Database Secuiitv foi UbLHSVLIEI-AJL I \Sollwarc\Mi. |

Security | Group or user names:

£ Administrators (SMALLB US I NE SS Administrators] 3 CREATOR OWNER S SYSTEM

Users [SMALLBUSINESSMJsers)

Permissions for Users

Permissions for Users

Full Control

Read

El

Special Permissions

For special permissions or for advanced settings. Advanced click Advanced. -—-

Apply

17. Users need to be able to read the Registry in order to perform normal system tasks, but they do not have the ability to modify the Registry in any way.

18. You can access Advanced settings to modify how permissions are inherited, to set auditing, or to change or delegate ownership as well. Remember, these settings will be applied via group policy. These options are shown in Figure 9.20.

Figure 9.20 Advanced Settings Options

Figure 9.20 Advanced Settings Options

Click Cancel to exit the Advanced Settings dialog without saving changes, or click OK to accept any changes you've made.

Click OK (or Cancel) to exit the Database Security for Users\.DEFAULT\Software\Microsoft\RedEdt32b dialog.

When you click OK, you will be prompted by an Add Object dialog. The default setting is Configure this key then...Propagate inheritable permissions to all subkeys. You can also select Configure this key then...Replace existing permissions on all subkeys with inheritable permissions. These two options were discussed in the previous exercise. The third option is to select Do not allow permissions on this key to be replaced. These options are shown in Figure 9.21.

Figure 9.21 Modifying Permissions for the RegEdt32 Registry Key

Figure 9.21 Modifying Permissions for the RegEdt32 Registry Key

22. If you want to modify permissions, you can click the Edit Security button. Otherwise, click OK.

23. In the MMC, you now have an object listed in the right pane, which should reflect the Registry key we just added USER\DEFAULT\ Software\Microsoft\RegEdt32, as shown in Figure 9.22.

Figure 9.22 Default Domain Policy with RegEdt32 Permissions Specified

Figure 9.22 Default Domain Policy with RegEdt32 Permissions Specified

24. For the purposes of this exercise, we'll want to delete this key to leave the Default Domain Policy in its original state. Click the object, click the red X on the menu, or right-click and select Delete.

25. A Security Templates alert is displayed asking Are you sure you want to delete USERS\.DEFAULT\Software\Microsoft\RegEdt32? Click Yes to delete the key. Note that this does not delete the key from the Registry; it simply deletes the object from the policy.

26. Click File | Exit to exit the MMC. Click No when prompted to Save console settings.

Was this article helpful?

0 0
Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook


Responses

Post a comment