File and registry permissions after Workgroup migration to Domain
Posted on 2004-08-18
The issue we are having occurs when we add a Windows 2000 workstation to our new domain that was previously a member of workgroup called "WORKGROUP".
After adding the machine to the domain we reboot, login as domain admin, and find that the file/folder permissions on C: have been reset to "Everyone" with full control. Yet standard domain users have trouble writing to files in the windows folder and other locations on the drive.
The registry shows that "RESTRICTED" and "Everyone" objects have read only access to all areas of the registry. This causes users to have problems with software that write settings to the registry, i.e. AutoCAD or any app that writes into HKLM.
To correct this, we have to login as the domain admin, open regedt32 and add "Domain Users" and "Domain Admins" with full control on the registry, or give "Everyone" and "RESTRICTED" at least read/write access to HKLM. Then we reset the permissions on the C: drive to make "domainname\Domain Admins" the owner and set "Domain Admins" with full control and "Domain Users" with Change rights in order to straighten things out.
This is a real headache for our helpdesk and it doesn't seem like we should have to do this just to move over to a domain. We're not sure if it has something to do with Group Policies or what. Any help would be greatly appreciated.