Frank Heyne developed RegDACL which allows you to query and change the discretionary
access control list (DACL) of any Windows NT Registry key. You can of course use
NT?s built-in RegEdt32 to set registry permissions,but if you need to edit more
than a few machines then you are faced with quite a boring job, not to mention
being more prone to make mistakes. RegDACL, gives you the ability to use a batch
script to perform this job. The freeware version 1.1 of RegDACL allows you to
define access permissions for the predefined groups Administrators, Everyone,
Interactive, Network, System, Creator Owner, User, Authenticated Users, Batch,
Local, Service, Anonymous Logon, Domain Administrators, Domain Users and Domain
Guests and in much more detail than RegEdt32 will allow. The registered version
2.0 of RegDACL will in addition allow you to change permissions for all kinds of
user created local and domain accounts and groups.
The Discretionary Access Control List (DACL) is controlled by the owner of an
object and specifies the access particular users or groups can have to that
object. With RegDACL you can manage DACLs of Registry keys. If you need to
manage DACLs of files or directories on an NTFS volume, you can use CACLS, which comes with NT, or the NT
resource kit utility XCACLS
which provides some extended functionality.
There is also a Windows 2000 version of the regDACL utility available.
RegDACL for Windows NT and W2K has one tremendous advantage, its commandline
nature allows for automation. RegDACL for Windows NT also has one tremendous
disadvantage - it does not work with NT running SP4. This is not a defect in
RegDACL but a bug in SP4. Calling GetSecurityInfo() to retrieve a copy of the
security descriptor for a registry key handle fails under SP4. See GetSecurityInfo Fails on SP4 with 87:ERROR_INVALID_PARAMETER.
This is not a widely known bug in SP4 but a critical bug if you need to automate
the setting of registry DACLs.