To facilitate remote troubleshooting, I want to give Help desk administrators network access to the registries of Windows NT 4.0 user workstations. How can I set up this access so that only Help desk administrators have this privilege? (In my organization, Help desk administrators aren't members of the built-in NT Administrators group.)
The key to your problem is the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipe\ access control settings on this subkey determine who can remotely access a machine's registry. By default, the subkey is set to let only administrators connect remotely. In your case, you need to add a Help Desk Administrator group to the Winreg ACL. If you delete the Winreg subkey, anyone can remotely connect to the registry. Note that the level of access you grant someone to the Winreg subkey doesn't matter—you just need to list the user. Being listed in Winreg's ACL means that you can connect remotely. For more information about the Winreg subkey, see the Microsoft article "Clarification of Winreg Operation in Windows NT" (http://support.microsoft.com/support/kb/articles/q186/ 4/33.asp).
By default, the Winreg ACL settings are applicable for remote access to all registry subkeys with one exception. The registry paths listed in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ winreg\AllowedPaths\Machine registry subkey are exempt. Thus, anyone having the appropriate access level can remotely access them.
Although you might have remote registry access, individual ACLs on registry subkeys can still keep you from getting to the registry subkeys. Before the system grants or denies a remote user access to a registry subkey, the NT security system evaluates both the Winreg and individual registry subkey ACLs. The Winreg ACL governs whether you can connect remotely; the ACL of the subkey governs what you can do to the subkey. Remember that the system doesn't evaluate the registry subkeys in the AllowedPaths subkey: In this case, only the registry subkey's proper ACLs apply.