We attempted to configure the permissions of a Registry key (HKLM\Software) via GPO. (https://www.stigviewer.com/stig/windows_server_2019/2019-12-12/finding/V-93025)
However this resulted in a necessary "Capability SID" (https://answers.microsoft.com/en-us/windows/forum/all/what-the-heck-account-unknowns-1-15-3-1024/65852c0e-d185-4eef-abfb-967263519cc0?page=2) being removed from the permissions.
Unfortunately there's no way to manually add a SID via the GPMC GP Editor. You must search for an existing user but "Capability SIDs" have no user mapping by design.
Is there a way to get this SID back in the registry permissions via Domain GPO?
So unfortunately there's no way to directly add a SID to GPO via GPMC.
There's also seems to be no way to directly modify a GPO's security settings using Powershell, icacls, or other tools.
You can however generate a "Security Template" using the "Security Templates" Snap-In. Then you can modify the SDDL entries in the inf file created with the necessary information. Once you've got a good Template, you can import it into your GPO.
Get the appropriate ACE from a working system:
(A;CI;KR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)is the part that I neededNow I can create a template:
Then I can edit the inf file created to add the ACE into the SDDL:
Save the Inf file, then import it to your GPO:
Voila!
BONUS INFO:
"Write DAC" (Regedit) is the same as "Change Permissions" (GPMC) and "Read Control" (Regedit) is the same as "Read Permissions" (GPMC)