You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close

15: How do I use Least Privilege Manger to Elevate .reg files to allow import by standard users

The registry requires elevated rights to be updated. Least Privilege Manager can be used to elevate the rights of a standard user to allow specific .reg files be imported without an administrator.

Note: We recommend you put the .REG file on a server so the file itself is under permissions which cannot be tampered with. It could be a risk to put the .REG file locally on the hard drive where anyone could edit the raw contents.

Method 1: New Executable Policy

  1. Create new GPO where required
  2. Expand PolicyPak node on either Computer or User Configuration side and click on “Least Privilege Manager”
  3. Add new EXE Policy (a or b)

  4. Select “Use Combo Rule …” -> NEXT

  5. Under Conditions check “Path”, and under Settings check “Command-line arguments” and “Apply to child processes” -> NEXT

  6. Under Path Condition click the Add drop-down and select “Add file ...”

  7. Either browse for regedit.exe, or type in “%SYSTEMROOT%\regedit.exe” -> OK

  8. Click on Command-line Arguments

    1. Under Check Mode select “Strict equality”
    2. In the Arguments box type in text entered in Path Condition (step7) and path to .reg file to elevate
    3. Check “Ignore arguments case”
    4. NEXT

  9. Select “Run with elevated privileges” -> NEXT

  10. Rename and set Item Level Targeting if required -> FINISH

Method 2: New Script Policy

Before you create the policy, place your script on a server or secure, shared location (e.g. \\server\share\PSscript.ps1). The follow is a sample script that can be used with either PowerShell or as a batch file to import a .REG file:

Regedit.exe /s \\server\share\NewRegValue.reg

  1. Create new GPO where required
  2. Expand PolicyPak node on either Computer or User Configuration side and click on “Least Privilege Manager”
  3. Create new SCRIPT Policy (a or b)

  4. Select “Use Combo Rule …” -> NEXT

    Note: Although you can use a simple rule and simply use path as the qualifying factor, for security purposes it is recommended to have multiple qualifying factors.

  5. Under Conditions check “Path” and “Hash” -> NEXT

    Note: If you make changes to the script, the Hash value will need to be updated for the policy to remain valid. Alternatively, if you digitally sign your script, Signature can be used instead of Hash as the second method of validation.

  6. Under Path Condition click the Add drop-down and select “Add file ...”

  7. Browse to the location of the PowerShell script -> When Prompted, allow to automatically fill in Hash value,

  8. Click on Hash Condition to confirm Value has been set -> If desired, change algorithm to setting of choice

  9. Select “Run with elevated privileges” -> NEXT

  10. Rename and set Item Level Targeting if required -> FINISH
  • 906
  • 10-May-2020
  • 316 Views