RE: Securing access to network registry
From: Keven (kdenton_at_xpsystems.com)
Date: Thu, 24 Jul 2003 08:13:52 -0700
>Thank you for the posting.
>I understand you performed the steps in knowledge base
article 153183 and
>then when you log on as just a domain user you can get
read access to
>HKEY_CLASSROOT and HKEY_USERS.
>This is normal because your domain user account is in the
>group. To test whether the restriction is effective, you
can have other
>domain user log on your computer and they should not be
able to access the
>registry keys because they are not in the administrators
>If you want, you can also remove your domain user account
>administrators group to pervent it from accessing the
>Anyone in the administrators group can have access to the
>Only those who are not in the administrators group will
be prevented from
>accessing the registry keys.
>Hope the above information and suggestion helps and
answers your question.
>If anything is unclear, please let me know.
>MCSE2000, MCSA2000, MCDBA2000
>Microsoft Partner Online Support
>Get Secure! - www.microsoft.com/security
>When responding to posts, please Reply to Group via your
>that others may learn and benefit from your issue.
>This posting is provided AS IS with no warranties, and
confers no rights.
I think I might have been unclear. I created a domain
user. This guy is not part of the administrators group on
my machine, the domain or the remote machine I am trying
to access. Yet I can still get to
then when you log on as just a domain user you can get
read access to
HKEY_CLASSROOT and HKEY_USERS. If I use my account which
is a domain admin then I can edit the full registry that
is fine. I just want to know why a person with no
explicit rights still gets the read right to the above
keys. Thanks for your help. Keven