Frank Heyne developed RegDACL which allows you to query and change the discretionary access control list (DACL) of any Windows NT Registry key. You can of course use NTīs built-in RegEdt32 to set registry permissions,but if you need to edit more than a few machines then you are faced with quite a boring job, not to mention being more prone to make mistakes. RegDACL, gives you the ability to use a batch script to perform this job. The freeware version 1.1 of RegDACL allows you to define access permissions for the predefined groups Administrators, Everyone, Interactive, Network, System, Creator Owner, User, Authenticated Users, Batch, Local, Service, Anonymous Logon, Domain Administrators, Domain Users and Domain Guests and in much more detail than RegEdt32 will allow. The registered version 2.0 of RegDACL will in addition allow you to change permissions for all kinds of user created local and domain accounts and groups.

The Discretionary Access Control List (DACL) is controlled by the owner of an object and specifies the access particular users or groups can have to that object. With RegDACL you can manage DACLs of Registry keys. If you need to manage DACLs of files or directories on an NTFS volume, you can use CACLS, which comes with NT, or the NT resource kit utility which provides some extended functionality.

There is also a Windows 2000 version of the regDACL utility available.

RegDACL for Windows NT and W2K has one tremendous advantage, its commandline nature allows for automation. RegDACL for Windows NT also has one tremendous disadvantage - it does not work with NT running SP4. This is not a defect in RegDACL but a bug in SP4. Calling GetSecurityInfo() to retrieve a copy of the security descriptor for a registry key handle fails under SP4. See GetSecurityInfo Fails on SP4 with 87:ERROR_INVALID_PARAMETER. This is not a widely known bug in SP4 but a critical bug if you need to automate the setting of registry DACLs.