Solved

Active Directory: Registry Setting configuration question

Posted on 2004-09-07
6
135 Views
Last Modified: 2010-04-14
As recommended in a previous post that I made - http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21119617.html, I disabled the user policy in an OU GPO [ABC-Local-Computers-OU].

Now that I did that, when I execute GPRESULT on a PC that is in the ABC-Local-Computers-OU, I see that the computer received "Registry" settings from the Default Domain Policy.

When I'm logged onto the same PC as a local Admin, configured by the restricted groups policy, and try to install an application, I received a message that the registry couldn't be written to.  The same application installs properly when I log on as 'Administrator', which is also configured by the restricted groups policy.

Question: Am I configuring the GPOs incorrectly?

I've included my OU structure below, as well as the GPRESULT output.

Please advise.

Thanks!

Here's the structure to my GPOs/OUs, etc.

ABC.COM - domain  - default domain policy (only policy used) - small company; allows users to changed date/time in GPO
   ABC-Local-Computers-OU [restricted groups policy set, as well as allowing the date/time change]
      Computer-1  [all computers that need to have local admin rights]
      Computer-2
            :
   ABC-Department-OU
        ABC-Local-Admin-Grp [members consist of some accounting users, etc. and the test user]
        ABC-Accounting-OU
             ABC-Acct-Grp [members consist of accounting users]
                 acct_user
        ABC-Credit-OU
             ABC-Credit-Grp
                  credit_user
                   :
        ABC-Test-OU  - for testing purposes, I created a GPO with only the restricted groups policy set
             ABC-Test-Grp [only member is test_user]
                  test_user

  Computers [the container that's setup when AD is installed]
     All other domain computers are here including servers


Here's the computer group policy printed from GPRESULT:

###############################################################

  Computer Group Policy results for:

  CN=OP-02,OU=ABC-Local-Admin-Computers,DC=ABC-OPS,DC=com

  Domain Name:          ABC-OPS
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

        BUILTIN\Administrators
        \Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        ABC-OPS\OP-02$
        ABC-OPS\Domain Computers

###############################################################

Last time Group Policy was applied: Tuesday, September 07, 2004 at 7:03:58 AM
Group Policy was applied from: ad-srvr.ABC-OPS.COM


===============================================================


The computer received "Registry" settings from these GPOs:

        Local Group Policy
        Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
        ABC-Local-Admin-Computers Group Policy Object


===============================================================
The computer received "EFS recovery" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
0
Comment
Question by:halfondj
  • 3
  • 2
6 Comments
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
When you say log on as a local admin, do you mean, as a user in the group added through the restricted policy?

J
0
 
LVL 82

Assisted Solution

by:oBdA
oBdA earned 250 total points
Comment Utility
You can run gpresult with the switches /v (verbose) or even /s (super verbose), which sould tell you a bit more about which settings are applied.
Does that yield anything useful?
0
 

Author Comment

by:halfondj
Comment Utility
To jdeclue: Yes.  Exactly like you advised me to do in my past postings you answered :).

To oBdA: Thanks for the suggestion.  I will have to try it and let you know the results.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 9

Accepted Solution

by:
jdeclue earned 250 total points
Comment Utility
Log in as the local administrator, open the Computer Management and view the Administrators Group in Local Users and Groups. Verify that the group is listed in there as Domainname\Groupname, should be this way in the policy as well. Is it possible that you put in the name without the domain name, thereby creating a local group with no members?

J
0
 

Author Comment

by:halfondj
Comment Utility
To jdeclue:  Once again I want to thank you for your replies.  By doing what you recommended in your previous post, it showed me what my problem was.  I omitted a group from the 'Restricted Groups' that contained the userid that I was logging onto the PC with.  Having made this mistake, I am continuing to get a better idea to how Restricted Groups work.

Since oBdA informed me of the switches for the GPRESULT application, which also assisted in finding my problem, I would like to increase the points and split them.

Thanks.
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Thank you sir... glad to help ;)

J
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
HOW TO: Install and Configure VMware vSphere Hypervisor 6.5 (ESXi 6.5), Step by Step Tutorial with screenshots. From Download, Checking Media, to Completed Installation.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now