DOCUMENT:Q221766 10-AUG-2001 [winnt] TITLE :Registry Permissions Not Inherited Properly PRODUCT :Microsoft Windows NT PROD/VER:winnt:4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0 - Microsoft Windows NT Server version 4.0, Terminal Server Edition ------------------------------------------------------------------------------- SYMPTOMS ======== After securing the registry with C2Config, subkeys created in the HKEY_LOCAL_MACHINE\SOFTWARE, HKEY_LOCAL_MACHINE\SOFTWARE\Classes, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft, and HKEY_LOCAL_MACHINE\SOFTWARE\Secure keys do not inherit the expected permissions. CAUSE ===== C2Config sets the inherited permissions separately from the object permissions. The permissions to be set are defined in the C2RegACL.inf file, and it does not include the permissions to be inherited by subkeys. RESOLUTION ========== To resolve this problem you should add the permissions to be inherited to the C2RegACL.inf file. Example: Section of C2RegACL.inf before modifications: [HKEY_LOCAL_MACHINE\SOFTWARE] BUILTIN\Administrators = FULL CREATOR OWNER = FULL SYSTEM = FULL Everyone = QV, SV, CS, ES, NT, DE, RC Section of C2RegACL.inf after adding inherited permissions: [HKEY_LOCAL_MACHINE\SOFTWARE] BUILTIN\Administrators = FULL BUILTIN\Administrators = INHERIT, FULL CREATOR OWNER = FULL CREATOR OWNER = INHERIT, FULL SYSTEM = FULL SYSTEM = INHERIT, FULL Everyone = QV, SV, CS, ES, NT, DE, RC Everyone = INHERIT, QV, SV, CS, ES, NT, DE, RC Note the INHERIT entry in the permissions. This is the option that sets the permissions that will be inherited by subkeys. Additional query words: SECURITY CONFIGURATION EDITOR ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbNTTermServ400 kbNTTermServSearch Version : winnt:4.0 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.