[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Active Directory: Registry Setting configuration question

Posted on 2004-09-07
6
Medium Priority
?
147 Views
Last Modified: 2010-04-14
As recommended in a previous post that I made - http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21119617.html, I disabled the user policy in an OU GPO [ABC-Local-Computers-OU].

Now that I did that, when I execute GPRESULT on a PC that is in the ABC-Local-Computers-OU, I see that the computer received "Registry" settings from the Default Domain Policy.

When I'm logged onto the same PC as a local Admin, configured by the restricted groups policy, and try to install an application, I received a message that the registry couldn't be written to.  The same application installs properly when I log on as 'Administrator', which is also configured by the restricted groups policy.

Question: Am I configuring the GPOs incorrectly?

I've included my OU structure below, as well as the GPRESULT output.

Please advise.

Thanks!

Here's the structure to my GPOs/OUs, etc.

ABC.COM - domain  - default domain policy (only policy used) - small company; allows users to changed date/time in GPO
   ABC-Local-Computers-OU [restricted groups policy set, as well as allowing the date/time change]
      Computer-1  [all computers that need to have local admin rights]
      Computer-2
            :
   ABC-Department-OU
        ABC-Local-Admin-Grp [members consist of some accounting users, etc. and the test user]
        ABC-Accounting-OU
             ABC-Acct-Grp [members consist of accounting users]
                 acct_user
        ABC-Credit-OU
             ABC-Credit-Grp
                  credit_user
                   :
        ABC-Test-OU  - for testing purposes, I created a GPO with only the restricted groups policy set
             ABC-Test-Grp [only member is test_user]
                  test_user

  Computers [the container that's setup when AD is installed]
     All other domain computers are here including servers


Here's the computer group policy printed from GPRESULT:

###############################################################

  Computer Group Policy results for:

  CN=OP-02,OU=ABC-Local-Admin-Computers,DC=ABC-OPS,DC=com

  Domain Name:          ABC-OPS
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

        BUILTIN\Administrators
        \Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        ABC-OPS\OP-02$
        ABC-OPS\Domain Computers

###############################################################

Last time Group Policy was applied: Tuesday, September 07, 2004 at 7:03:58 AM
Group Policy was applied from: ad-srvr.ABC-OPS.COM


===============================================================


The computer received "Registry" settings from these GPOs:

        Local Group Policy
        Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
        ABC-Local-Admin-Computers Group Policy Object


===============================================================
The computer received "EFS recovery" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
0
Comment
Question by:halfondj
  • 3
  • 2
6 Comments
 
LVL 9

Expert Comment

by:jdeclue
ID: 11996895
When you say log on as a local admin, do you mean, as a user in the group added through the restricted policy?

J
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 1000 total points
ID: 11998454
You can run gpresult with the switches /v (verbose) or even /s (super verbose), which sould tell you a bit more about which settings are applied.
Does that yield anything useful?
0
 

Author Comment

by:halfondj
ID: 12000880
To jdeclue: Yes.  Exactly like you advised me to do in my past postings you answered :).

To oBdA: Thanks for the suggestion.  I will have to try it and let you know the results.
0
[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

 
LVL 9

Accepted Solution

by:
jdeclue earned 1000 total points
ID: 12005591
Log in as the local administrator, open the Computer Management and view the Administrators Group in Local Users and Groups. Verify that the group is listed in there as Domainname\Groupname, should be this way in the policy as well. Is it possible that you put in the name without the domain name, thereby creating a local group with no members?

J
0
 

Author Comment

by:halfondj
ID: 12006497
To jdeclue:  Once again I want to thank you for your replies.  By doing what you recommended in your previous post, it showed me what my problem was.  I omitted a group from the 'Restricted Groups' that contained the userid that I was logging onto the PC with.  Having made this mistake, I am continuing to get a better idea to how Restricted Groups work.

Since oBdA informed me of the switches for the GPRESULT application, which also assisted in finding my problem, I would like to increase the points and split them.

Thanks.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12006567
Thank you sir... glad to help ;)

J
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office Picture Manager was included in Office 2003, 2007, and 2010, but not in Office 2013. Users had hopes that it would be in Office 2016/Office 365, but it is not. Fortunately, the same zero-cost technique that works to install it with …
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses
Course of the Month20 days, 6 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question