Fine-tune local useracc in Windows to have admin set of permissions WITHOUT being part of built-in Admin group?

Question

Making changes to specific registry parts requires admin rights REGARDLESS if you have permission to edit these keys or value set explicitly. This means that if I want to make some changes to a very specific set of keys under very specific username that has been granted very specific rw permissions to these keys he still needs to be part of Admin group which defeats the point as admin group can now manage access easier than usual.

My grand idea is to restrict access to these registry keys only to this user, let the rest have read-only access and kick-off admin group. The problem is that I cant do the last because then my specific user rw means jack shit since he cant modify registry via either API or built-in Windows tools.

Is there a way for me to fine-tune this somehow?

score 0 · Answer 1 · 2020-06-17T17:28:42.670

0

Assuming Windows 10, no. Natively the user changing the registry must be a member of the Admin group.

Look at Power Broker for Windows (extension of Group Policy). This may be able to provide the granular permissions you need.

https://www.beyondtrust.com/press/powerbroker-windows-introduces-new-ways-help-security-teams-manage-access-policy-efficiently

edited Jun 17 '20 at 17:28

answered Jun 17 '20 at 17:06

Fine-tune local useracc in Windows to have admin set of permissions WITHOUT being part of built-in Admin group?

1 Answers1