Active Directory: Registry Setting configuration question

As recommended in a previous post that I made - http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21119617.html, I disabled the user policy in an OU GPO [ABC-Local-Computers-OU].

Now that I did that, when I execute GPRESULT on a PC that is in the ABC-Local-Computers-OU, I see that the computer received "Registry" settings from the Default Domain Policy.

When I'm logged onto the same PC as a local Admin, configured by the restricted groups policy, and try to install an application, I received a message that the registry couldn't be written to.  The same application installs properly when I log on as 'Administrator', which is also configured by the restricted groups policy.

Question: Am I configuring the GPOs incorrectly?

I've included my OU structure below, as well as the GPRESULT output.

Please advise.

Thanks!

Here's the structure to my GPOs/OUs, etc.

ABC.COM - domain  - default domain policy (only policy used) - small company; allows users to changed date/time in GPO
   ABC-Local-Computers-OU [restricted groups policy set, as well as allowing the date/time change]
      Computer-1  [all computers that need to have local admin rights]
      Computer-2
            :
   ABC-Department-OU
        ABC-Local-Admin-Grp [members consist of some accounting users, etc. and the test user]
        ABC-Accounting-OU
             ABC-Acct-Grp [members consist of accounting users]
                 acct_user
        ABC-Credit-OU
             ABC-Credit-Grp
                  credit_user
                   :
        ABC-Test-OU  - for testing purposes, I created a GPO with only the restricted groups policy set
             ABC-Test-Grp [only member is test_user]
                  test_user

  Computers [the container that's setup when AD is installed]
     All other domain computers are here including servers


Here's the computer group policy printed from GPRESULT:

###############################################################

  Computer Group Policy results for:

  CN=OP-02,OU=ABC-Local-Admin-Computers,DC=ABC-OPS,DC=com

  Domain Name:          ABC-OPS
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

        BUILTIN\Administrators
        \Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        ABC-OPS\OP-02$
        ABC-OPS\Domain Computers

###############################################################

Last time Group Policy was applied: Tuesday, September 07, 2004 at 7:03:58 AM
Group Policy was applied from: ad-srvr.ABC-OPS.COM


===============================================================


The computer received "Registry" settings from these GPOs:

        Local Group Policy
        Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
        ABC-Local-Admin-Computers Group Policy Object


===============================================================
The computer received "EFS recovery" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
halfondjAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
jdeclueConnect With a Mentor Commented:
Log in as the local administrator, open the Computer Management and view the Administrators Group in Local Users and Groups. Verify that the group is listed in there as Domainname\Groupname, should be this way in the policy as well. Is it possible that you put in the name without the domain name, thereby creating a local group with no members?

J
0
 
jdeclueCommented:
When you say log on as a local admin, do you mean, as a user in the group added through the restricted policy?

J
0
 
oBdAConnect With a Mentor Commented:
You can run gpresult with the switches /v (verbose) or even /s (super verbose), which sould tell you a bit more about which settings are applied.
Does that yield anything useful?
0
[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

 
halfondjAuthor Commented:
To jdeclue: Yes.  Exactly like you advised me to do in my past postings you answered :).

To oBdA: Thanks for the suggestion.  I will have to try it and let you know the results.
0
 
halfondjAuthor Commented:
To jdeclue:  Once again I want to thank you for your replies.  By doing what you recommended in your previous post, it showed me what my problem was.  I omitted a group from the 'Restricted Groups' that contained the userid that I was logging onto the PC with.  Having made this mistake, I am continuing to get a better idea to how Restricted Groups work.

Since oBdA informed me of the switches for the GPRESULT application, which also assisted in finding my problem, I would like to increase the points and split them.

Thanks.
0
 
jdeclueCommented:
Thank you sir... glad to help ;)

J
0
All Courses

From novice to tech pro — start learning today.