Setting permissions for Registry keys isn't trivial. With a little trick, though, it is no big deal anymore.
First, open REGEDIT and create a sample key. Next, right click the key and use the UI to set the permissions you want.
Now, run this script (adjust the path to the Registry key you just defined):
$path = 'HKCU:\software\prototype' $sd = Get-Acl -Path $Path $sd.Sddl | clip
It will read the security information from your key and copies it to the clipboard.
Now, use this script to apply the exact same security settings to any new or existing Registry key you want. Simply select the SDDL definition in this script, and replace it with the one you just created:
# replace the content of this variable with the SDDL you just created $sddl = 'O:BAG:S-1-5-21-1908806615-3936657230-2684137421-1001D:PAI(A;CI;KR;;;BA)(A;CI;KA;;;S-1-5-21-1907506615-3936657230-2684137421-1001)' $Path = 'HKCU:\software\newkey' $null = New-Item -Path $Path -ErrorAction SilentlyContinue $sd = Get-Acl -Path $Path $sd.SetSecurityDescriptorSddlForm($sddl) Set-Acl -Path $Path -AclObject $sd
You may need to run this script with full Administrator privileges. As you can see, the first script and your sample Registry key were only needed to generate the SDDL text. Once you have it, you simply paste it into the second script. The second script does not need any sample key anymore.
