I’m trying to find database size of DC which is located in NTDS service. My script is:

$  Computer = "abe.com" $  Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $  computer)       $  RegKey=$  Reg.OpenSubKey("SYSTEM\CurrentControlSet\services\NTDS\Parameters"  $  NTDSPath = $  Regkey.GetValue("DSA Database file")  $  NTDSREMOTEPath =  "\$  computer$  NTDSPath" -replace ":","$  "  $  NTDSREMOTEPath = Get-item $  NTDSREMOTEPath | Select-Object -ExpandProperty Length   ($  NTDSREMOTEPath /1GB).ToString("0.000"+" GB")  

After running this I got an error:

Exception calling "OpenSubKey" with "1" argument(s): "Requested registry access is not allowed." At C:\Users\Documents\HealthCheck\hardwareMonitoring.ps1:40 char:1 + $  RegKey= $  Reg.OpenSubKey("SYSTEM\CurrentControlSet\services\NTDS\Parameters" ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException     + FullyQualifiedErrorId : SecurityException  You cannot call a method on a null-valued expression. At C:\Users\Documents\HealthCheck\hardwareMonitoring.ps1:41 char:1 + $  NTDSPath = $  Regkey.GetValue("DSA Database file") + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + CategoryInfo          : InvalidOperation: (:) [], RuntimeException     + FullyQualifiedErrorId : InvokeMethodOnNull  Get-item : Cannot find path '\abc.com\' because it does not exist. At C:\Users\Documents\HealthCheck\hardwareMonitoring.ps1:43 char:19 + $  NTDSREMOTEPath = Get-item $  NTDSREMOTEPath | Select-Object -ExpandProperty Lengt ... +                   ~~~~~~~~~~~~~~~~~~~~~~~~     + CategoryInfo          : ObjectNotFound: (\abc.com\:String) [Get-Item], ItemNotFoundE     xception     + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand 

I realized that my account does not have enough permission to query this path from regedit SYSTEM\CurrentControlSet\services\NTDS\Parameters.

I decided to login into “abc.com” and added my account with full control and read rights. What I have done was, right click on Parameter choose permissions and add my account in.

I came back to run the script again. I got the same error!

It works with Admin account by the way. I want to execute the query without using a domain admin account.

What’s the reason in this case? Thank you so much!