Trying to set permissions on a directory tree to cut off write access to
everyone except a designated priviledged account.  Having problem with Power
User.  Even though the top level key blocks off write access to Power User
group, the sub-keys can still be written to by that group.  The top level
key is cutting off inheritance from above, and it has the proper
permissions.  Keys below it inherit from it ... but also show write access
by the Power Users group (apparently inherited from thin air) when you look
at the security permissions.  The code we are using is below.  I am hoping
somebody can tell me what we are doing wrong.  The key we are setting is
HKLM/Software/YourCompanyNameHere.

void SecureRegistry(LPCTSTR szKeyName, LPCTSTR pszAccount)
{
// printf("special account=%s\n", (pszAccount==NULL?"none":pszAccount));

   // These groups will have READ access
   CSid sidEveryone(CSid::WST_EVERYONE);
   CSid sidLocalUsers(CSid::WST_LOCALUSERS);
   CSid sidPowerUsers(CSid::WST_LOCALPOWERUSERS);

   // These groups will have FULL access
   CSid sidAdmins(CSid::WST_LOCALADMINS);
   CSid sidLocalSystem(CSid::WST_LOCALSYSTEM);
   CSid sidCreatorOwner(CSid::WST_CREATOROWNER);

   CTrustee trEveryone(TRUSTEE_IS_GROUP, sidEveryone);
   CTrustee trLocalUsers(TRUSTEE_IS_GROUP, sidLocalUsers);
   CTrustee trPowerUsers(TRUSTEE_IS_GROUP, sidPowerUsers);

   CTrustee trAdmins(TRUSTEE_IS_GROUP, sidAdmins);
   CTrustee trLocalSystem(TRUSTEE_IS_GROUP, sidLocalSystem);
   CTrustee trCreatorOwner(TRUSTEE_IS_GROUP, sidCreatorOwner);

CTrustee trSpecialAccount(TRUSTEE_IS_USER, pszAccount);

   EXPLICIT_ACCESS ea[MAX_DACL_LEN];

   DWORD dwInherit = SUB_CONTAINERS_AND_OBJECTS_INHERIT;

   int iCount = 0;
   ea[iCount++] = CExplicitAccess(KEY_READ, SET_ACCESS, dwInherit,
trEveryone);
   ea[iCount++] = CExplicitAccess(KEY_READ, SET_ACCESS, dwInherit,
trLocalUsers);
   ea[iCount++] = CExplicitAccess(KEY_READ, SET_ACCESS, dwInherit,
trPowerUsers);

   ea[iCount++] = CExplicitAccess(KEY_ALL_ACCESS, SET_ACCESS, dwInherit,
trAdmins);
   ea[iCount++] = CExplicitAccess(KEY_ALL_ACCESS, SET_ACCESS, dwInherit,
trLocalSystem);
   ea[iCount++] = CExplicitAccess(KEY_ALL_ACCESS, SET_ACCESS, dwInherit,
trCreatorOwner);

if (pszAccount) {
 ea[iCount++] = CExplicitAccess(KEY_ALL_ACCESS, SET_ACCESS, dwInherit,
trSpecialAccount);
}

int ii;
printf("the EA we created\n");
printf("oea has %d entries\n", iCount);
for (ii=0; ii<iCount; ii++) {
 if (VERBOSE) printf("\nea[%d]:", ii);
 PrintEA(ea[ii], VERBOSE);
}

   // Create a new ACL and set the EA entries in it

   CAcl acl;
   if ( acl.SetEntriesInAcl(iCount, ea) == ERROR_SUCCESS )
   {
    // Initialize a security descriptor and add our ACL to it
    CSecurityDescriptor sd;
 BOOL bIsPresent = FALSE;
 BOOL bIsDefaulted = FALSE;
 PACL oldDacl;

#if DIAG
 printf("the ACL we created\n");
 PrintPACL(acl, VERBOSE); // test by printing the one we created first
#endif

 bIsPresent = false;
 sd.GetSecurityDescriptorDacl(&bIsPresent, &oldDacl, &bIsDefaulted);

#if DIAG
 if (bIsPresent) {
  printf("\nthe ACL initialized by the sd");
  printf("initial descriptor defaulted? %s\n",
bIsDefaulted?"true":"false");
  PrintPACL(oldDacl, VERBOSE);
 }
#endif

    if ( sd.SetSecurityDescriptorDacl(
         TRUE,
         acl,
         FALSE ) )
    {
           HKEY hkey;

  bIsPresent = false;
  sd.GetSecurityDescriptorDacl(&bIsPresent, &oldDacl, &bIsDefaulted);

#if DIAG
  if (bIsPresent) {
   printf("\nthe sd ACL modified by our ACL");
   printf("initial descriptor defaulted? %s\n",
bIsDefaulted?"true":"false");
   PrintPACL(oldDacl, VERBOSE);
  }
#endif

  printf("open key %s\n", szKeyName);
           if ( RegOpenKeyEx(
                   HKEY_LOCAL_MACHINE,
                   szKeyName,
                   0,
                   KEY_ALL_ACCESS,
                   &hkey ) == ERROR_SUCCESS )
           {
   unsigned long buf[1024];
   DWORD bufsize = sizeof(buf);
   if (::RegGetKeySecurity(hkey, DACL_SECURITY_INFORMATION, &buf[0],
&bufsize) == ERROR_SUCCESS) {
    PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) buf;
    bIsPresent = false;
    GetSecurityDescriptorDacl(psd, &bIsPresent, &oldDacl, &bIsDefaulted);

#if DIAG
    if (bIsPresent) {
     printf("\nthe original key sd ACL\n");
     printf("initial descriptor defaulted? %s\n",
bIsDefaulted?"true":"false");
     PrintPACL(oldDacl, VERBOSE);
    }
#endif
   }

               RegSetKeySecurity(
                   hkey,
                   DACL_SECURITY_INFORMATION,
                   sd );

   bufsize = sizeof(buf);
   if (::RegGetKeySecurity(hkey, DACL_SECURITY_INFORMATION, &buf[0],
&bufsize) == ERROR_SUCCESS) {
    PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) buf;
    bIsPresent = false;
    GetSecurityDescriptorDacl(psd, &bIsPresent, &oldDacl, &bIsDefaulted);

#if DIAG
    if (bIsPresent) {
     printf("\nthe key sd ACL modified by our ACL\n");
     printf("initial descriptor defaulted? %s\n",
bIsDefaulted?"true":"false");
     PrintPACL(oldDacl, VERBOSE);
    }
#endif
   }

               RegCloseKey( hkey );
           }
    }
   }
}