Can I use the Win32 Network Extender to deny permissions to a registry key? If now, what is the next "best" method?
Please see the documentation for the wntAccessAdd Network extender function in the Consolidated WIL Help file.
I'll look again, but I did a search and never found the word 'deny'. Maybe this time, I'll just read the whole thing.
Aha! It looks like the Access Denied ACE Type is the solution to all of my woes.
Nuts. Apparently, denying Set Value, Delete, and Write Owner is enough to keep RegOpenKey from being able to open the key.
I'm starting to think that I'm being a little Draconian and maybe I should just set this key via Group Policy.
Please review the RegOpenKeyEx function in the Consolidated WIL Help file. It allows you to open a key with only specified permissions.
It would also be helpful to know some more details, such as...
What registry key?
What GPO setting is associated with it?
Are you trying to prevent the key from being modified, or from being accessed at all, even for read-only access?
What access mask did you use with an access-denied ACE, and what SID/account did you deny access to?