Problem
You want to change the ACL of a registry key.
Solution
To set the ACL on a registry key, use the SetAcl cmdlet. This example grants an account write access to a registry key under HKLM:\Software. This is especially useful for programs that write to administratoronly regions of the registry, which prevents them from running under a nonadministrator account.
cd HKLM:\Software\MyProgram $acl = GetAcl . $arguments = "LEEDESK\Lee","FullControl","Allow" $accessRule = NewObject System.Security.AccessControl.RegistryAccessRule $arguments $acl.SetAccessRule($accessRule) $acl | SetAcl .
Discussion
The SetAcl cmdlet sets the security descriptor of an item. This cmdlet doesn’t only work against the registry, however. Any provider (for example, the filesystem provider) that supports the concept of security descriptors also supports the SetAcl cmdlet.
The SetAcl cmdlet requires that you provide it with an ACL to apply to the item. While it is possible to construct the ACL from scratch, it is usually easiest to retrieve it from the item beforehand (as demonstrated in the solution). To retrieve the ACL, use the GetAcl cmdlet. Once you’ve modified the access control rules on the ACL, simply pipe them to the SetAcl cmdlet to make them permanent.
In the solution, the $arguments list that we provide to the RegistryAccessRule constructor explicitly sets an Allow rule on the Lee account of the LEEDESK computer for FullControl permission.
Although the SetAcl command is powerful, you may already be familiar with commandline tools that offer similar functionality (such as SubInAcl.exe). You can of course continue to use these tools from PowerShell.
For more information about the SetAcl cmdlet, type GetHelp SetAcl.
