I’m trying to find database size of DC which is located in NTDS service. My script is:
$Computer = "abe.com" $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $computer) $RegKey=$Reg.OpenSubKey("SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters" $NTDSPath = $Regkey.GetValue("DSA Database file") $NTDSREMOTEPath = "\\$computer\$NTDSPath" -replace ":","$" $NTDSREMOTEPath = Get-item $NTDSREMOTEPath | Select-Object -ExpandProperty Length ($NTDSREMOTEPath /1GB).ToString("0.000"+" GB")
After running this I got an error:
Exception calling "OpenSubKey" with "1" argument(s): "Requested registry access is not allowed." At C:\Users\Documents\HealthCheck\hardwareMonitoring.ps1:40 char:1 + $RegKey= $Reg.OpenSubKey("SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters" ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : SecurityException You cannot call a method on a null-valued expression. At C:\Users\Documents\HealthCheck\hardwareMonitoring.ps1:41 char:1 + $NTDSPath = $Regkey.GetValue("DSA Database file") + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull Get-item : Cannot find path '\\abc.com\' because it does not exist. At C:\Users\Documents\HealthCheck\hardwareMonitoring.ps1:43 char:19 + $NTDSREMOTEPath = Get-item $NTDSREMOTEPath | Select-Object -ExpandProperty Lengt ... + ~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (\\abc.com\:String) [Get-Item], ItemNotFoundE xception + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand
I realized that my account does not have enough permission to query this path from regedit
SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters
.I decided to login into “abc.com” and added my account with
full control
andread
rights. What I have done was, right click onParameter
choosepermissions
and add my account in.I came back to run the script again. I got the same error!
It works with Admin account by the way. I want to execute the query without using a domain admin account.
What’s the reason in this case? Thank you so much!
Answer
Step 1.
Assigning Permissions to a Registry Key
- Click the key that you want to assign permissions.
- On the Edit menu, click
Permissions. - Click the group or user name that you want to work with.
- Assign one of the following access levels to the key:
Select the Allow check box for
Read to give permission to read the key contents, but not save any changes.
Select the Allow check box for
Full Control to give permission to open, edit, and take ownership of the key.
- To grant special permission in the key, click
Advanced, and then double-click the user or group that you want to assign special access. Under Permissions, select the
Allow or the Deny check box for each permission you want to allow or deny.
Step 2.
Windows Server 2003 Domain Controller
- Open the Group Policy editor
- Navigate to, Local Computer Policy > Computer Configuration > Policies > Windows Settings > Security Settings > System Services
- In the right hand pane locate Remote Registry
- Define the policy, and set the Startup type to Automatic
- eboot the clients to apply the policy
Windows Server 2008 or newer Domain Controller
- Open the Group Policy editor
- Expand Computer Configuration > Policies > Windows Settings > Security Settings > System Services
- Find the Remote Registry item and change the Service startup mode to Automatic
- Reboot the clients to apply the policy
Step 3.
Open Local Group Policy Editor
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
-> Properties of Network access: Remotely accessible registry paths and sub-paths -> at Local Policies Setting tab add your Registry sub-paths that you wish to query
For example: System\CurrentControlSet\Control\ContentIndex
Attribution
Source : Link , Question Author : Ender , Answer Author : Ender