So, today I had to give a user permission to access the Remote Registry on Windows Server 2008 R2 machine. You could be forgiven for thinking this would be a relatively trivial task.

Some quick googling revealed that before a user can even read anything, they must have permissions on the following key:

HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

Granting the user Read permission (or Full Control) on this key, enables them to connect to the remote registry and browse it. This is where the useful information stops, but it turns out in order to give the user permission to write to the registry you need to manually set their permission on every key they want to write to.

To be fair this is quite logical, it’d just be nice if it was documented somewhere :)