<#====================================================================

Copyright © 2015, September. Michael Pomfret

Creates the Machine Translation Service

The following updates the administrators file permissions.

====================================================================#>

Write-Host “”

Write-Host “==============================================================================”

Write-Host “SharePoint 2013 – Updating file permissions for the local Administors group…”

Write-Host “==============================================================================”

Write-Host “”

#Windows Registry resources & permissions

#WSS_ADMIN_WPG

#WSS_ADMIN_WPG has read and write access to local resources. The application pool accounts for the Central Administration and Timer services are in WSS_ADMIN_WPG. The following table shows the WSS_ADMIN_WPG registry entry permissions.

#HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS

# FullControl Inherit – Not Applicable

$RegKey = “HKLM:\SYSTEM\CurrentControlSet\Services\VSS”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_ADMIN_WPG”

$access = [System.Security.AccessControl.RegistryRights]”FullControl”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”

$propagation = [System.Security.AccessControl.PropagationFlags]”NoPropagateInherit” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

#HKEY_LOCAL_MACHINE\Software\Microsoft\Office\15.0\Registration\{90150000-110D-0000-1000-0000000FF1CE}

# Read, write Inherit – Not Applicable

$RegKey = “HKLM:\Software\Microsoft\Office\15.0\Registration\{90150000-110D-0000-1000-0000000FF1CE}”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_ADMIN_WPG”

$access = [System.Security.AccessControl.RegistryRights]”ReadKey, WriteKey”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”

$propagation = [System.Security.AccessControl.PropagationFlags]”NoPropagateInherit” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

#HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server

# Read, No Inheritance

$RegKey = “HKLM:\SOFTWARE\Microsoft\Office Server”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_ADMIN_WPG”

$access = [System.Security.AccessControl.RegistryRights]”Readkey”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”

$propagation = [System.Security.AccessControl.PropagationFlags]”NoPropagateInherit” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

#HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\15.0 Full control No This key is the root of the SharePoint 2013 registry settings.

# Full control No Inheritance

$RegKey = “HKLM:\SOFTWARE\Microsoft\Office Server\15.0”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_ADMIN_WPG”

$access = [System.Security.AccessControl.RegistryRights]”FullControl”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”

$propagation = [System.Security.AccessControl.PropagationFlags]”None”

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

#HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\LoadBalancerSettings Read, write No This key contains settings for the document conversion service. Altering this key will break document conversion functionality.

# Read, write, No Inheritance

$RegKey = “HKLM:\Software\Microsoft\Office Server\15.0\LoadBalancerSettings”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_ADMIN_WPG”

$access = [System.Security.AccessControl.RegistryRights]”ReadKey, WriteKey”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”

$propagation = [System.Security.AccessControl.PropagationFlags]”NoPropagateInherit” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

#HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\LauncherSettings

# Read, write, No Inheritance

# This key contains settings for the document conversion service. Altering this key will break document conversion functionality.

$RegKey = “HKLM:\Software\Microsoft\Office Server\15.0\LauncherSettings”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_ADMIN_WPG”

$access = [System.Security.AccessControl.RegistryRights]”ReadKey, WriteKey”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”

$propagation = [System.Security.AccessControl.PropagationFlags]”NoPropagateInherit” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

# HKLM:\Software\Microsoft\Office Server\15.0\Search

# Full control Inherit – Not Applicable

$RegKey = “HKLM:\Software\Microsoft\Office Server\15.0\Search”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_ADMIN_WPG”

$access = [System.Security.AccessControl.RegistryRights]”FullControl”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”None”

$propagation = [System.Security.AccessControl.PropagationFlags]”None” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

#HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Search

# Full control Inherit – Not Applicable

$RegKey = “HKLM:\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Search”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_ADMIN_WPG”

$access = [System.Security.AccessControl.RegistryRights]”FullControl”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”None”

$propagation = [System.Security.AccessControl.PropagationFlags]”None” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

#HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure

# Full control No Inheritance

$RegKey = “HKLM:\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_ADMIN_WPG”

$access = [System.Security.AccessControl.RegistryRights]”FullControl”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”

$propagation = [System.Security.AccessControl.PropagationFlags]”NoPropagateInherit” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

#HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\WSS

# Full control Inherit

#This key contains settings used during setup. If this key is altered, diagnostic logging may fail and setup or post-setup configuration may fail.

$RegKey = “HKLM:\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\WSS”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_ADMIN_WPG”

$access = [System.Security.AccessControl.RegistryRights]”FullControl”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”

$propagation = [System.Security.AccessControl.PropagationFlags]”NoPropagateInherit” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl