Auditing Registry Folder Permisions #2

(imported topic written by SystemAdmin)

Hi BF Experts and Members,

I got a followup inquiry on my previous post.

Currently I have got this solution from fongrob one of the forumer here :slight_smile:

Q: effective access mode for “administrators” of dacls of security descriptors of key “HKEY_LOCAL_MACHINE\Software” of registry

Is there a way to check specific user permission with prefix “RON” instead of user group like admistrators and users using the query above?

(sample user name - RONxxx123xxx)

Thanks and have a good day :slight_smile:

(imported comment written by BenKus)

Hey rvnava,

Do you know the username or do you just know it starts with RON? Also… Do you think there are multiple accounts that start with RON? And are these local or domain users?

Ben

(imported comment written by SystemAdmin)

Ben Kus

Hey rvnava,

Do you know the username or do you just know it starts with RON? Also… Do you think there are multiple accounts that start with RON? And are these local or domain users?

Ben

The user names to be audited starts with prefix RON. Would it be possible having wildcard after the RON as well?

(imported comment written by BenKus)

Hey rvnava,

You can do stuff like this:

q: effective read permissions for (“username1”;“username2”;“domain\username3”) of dacls of security descriptors of key “HKEY_LOCAL_MACHINE\Software” of registry

OR something like

q: effective read permissions for (names of local users whose (name of it as lowercase starts with “ron”)) of dacls of security descriptors of key “HKEY_LOCAL_MACHINE\Software” of registry

Or you can substitute any relevance expression that returns the names of the users in the () above.

Ben

(imported comment written by SystemAdmin)

great! I’ll check this one out. Thanks for the support!

(imported comment written by khanand91)

hi … if i run any of the reg queries for domain users if doesn’t return anything, i think the query is still running but wait for at least 10 minutes

is there a easier way to find out whether a user has been granted perms os a reg key … btw we have > 100k users in the domain

thanks

(imported comment written by bhobbs91)

This should give you read permissions for every user starting with RON.

Q: (((account name of it,domain name of it) of trustee of it, read permissions of it) of it) of entries whose (account name of trustee of it starts with “RON”) of dacl of security descriptor of key “HKEY_LOCAL_MACHINE\Security” of registry

This may not be the most efficient of queries but it will return the data you are looking for. There is a situation where, when a user has inherited read permissions and explicit read permissions, they will be listed twice.

Q: conjunction of (read permissions of entries whose (account name of trustee of it starts with “RON”) of dacl of security descriptor of key “HKEY_LOCAL_MACHINE\Security” of registry)

This will return true if all users starting with RON have read permissions on HKLM\Security

EDIT: Pasted wrong relevance initially.

(imported comment written by khanand91)

thanks, but not quite what I’m looking for …

I need something that will ideally, just tell me whether a user has an acl on a specific reg key … i’m not really interested in inheritance etc.

I guess if i could just list the acls out, then do a string check on the users I’m looking for that would do it …

(imported comment written by jessewk)

Ben’s second query will return true/false based on whether there is a user name that starts with “RON” with read permissions on the key.

What’s are you looking for that’s missing from that?

(imported comment written by khanand91)

hi jesse

on bens 2nd query - for local users if the user does not exist I get 0 results which doesn’t return a true / false at all for me, for domain users which is what i’m looking for … in the graphical breakdown view i just see ??? … i have given it al least 10 minutes and it still seems to be thinking about giving me an answer i.e. just ??? I simple true / false on whether the acl is applied directly to the key in question is what I am after … thanks

(imported comment written by bhobbs91)

This will work for a single user:

q: read permissions of entries whose (account name of trustee of it = “Administrators”) of dacl of security descriptor of key “HKEY_LOCAL_MACHINE\Security” of registry

This would be true if Administrators have access to read this particular key.

(imported comment written by khanand91)

I get multiple results for the admin group, nothing back for teh admin user … . and again if i replace with a domain user account I get nothing back at all … oh well i guess its back to good old vbscript on this one