Solved

Active Directory: Registry Setting configuration question

Posted on 2004-09-07
6
139 Views
Last Modified: 2010-04-14
As recommended in a previous post that I made - http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21119617.html, I disabled the user policy in an OU GPO [ABC-Local-Computers-OU].

Now that I did that, when I execute GPRESULT on a PC that is in the ABC-Local-Computers-OU, I see that the computer received "Registry" settings from the Default Domain Policy.

When I'm logged onto the same PC as a local Admin, configured by the restricted groups policy, and try to install an application, I received a message that the registry couldn't be written to.  The same application installs properly when I log on as 'Administrator', which is also configured by the restricted groups policy.

Question: Am I configuring the GPOs incorrectly?

I've included my OU structure below, as well as the GPRESULT output.

Please advise.

Thanks!

Here's the structure to my GPOs/OUs, etc.

ABC.COM - domain  - default domain policy (only policy used) - small company; allows users to changed date/time in GPO
   ABC-Local-Computers-OU [restricted groups policy set, as well as allowing the date/time change]
      Computer-1  [all computers that need to have local admin rights]
      Computer-2
            :
   ABC-Department-OU
        ABC-Local-Admin-Grp [members consist of some accounting users, etc. and the test user]
        ABC-Accounting-OU
             ABC-Acct-Grp [members consist of accounting users]
                 acct_user
        ABC-Credit-OU
             ABC-Credit-Grp
                  credit_user
                   :
        ABC-Test-OU  - for testing purposes, I created a GPO with only the restricted groups policy set
             ABC-Test-Grp [only member is test_user]
                  test_user

  Computers [the container that's setup when AD is installed]
     All other domain computers are here including servers


Here's the computer group policy printed from GPRESULT:

###############################################################

  Computer Group Policy results for:

  CN=OP-02,OU=ABC-Local-Admin-Computers,DC=ABC-OPS,DC=com

  Domain Name:          ABC-OPS
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

        BUILTIN\Administrators
        \Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        ABC-OPS\OP-02$
        ABC-OPS\Domain Computers

###############################################################

Last time Group Policy was applied: Tuesday, September 07, 2004 at 7:03:58 AM
Group Policy was applied from: ad-srvr.ABC-OPS.COM


===============================================================


The computer received "Registry" settings from these GPOs:

        Local Group Policy
        Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
        ABC-Local-Admin-Computers Group Policy Object


===============================================================
The computer received "EFS recovery" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
0
Comment
Question by:halfondj
  • 3
  • 2
6 Comments
 
LVL 9

Expert Comment

by:jdeclue
ID: 11996895
When you say log on as a local admin, do you mean, as a user in the group added through the restricted policy?

J
0
 
LVL 84

Assisted Solution

by:oBdA
oBdA earned 250 total points
ID: 11998454
You can run gpresult with the switches /v (verbose) or even /s (super verbose), which sould tell you a bit more about which settings are applied.
Does that yield anything useful?
0
 

Author Comment

by:halfondj
ID: 12000880
To jdeclue: Yes.  Exactly like you advised me to do in my past postings you answered :).

To oBdA: Thanks for the suggestion.  I will have to try it and let you know the results.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 9

Accepted Solution

by:
jdeclue earned 250 total points
ID: 12005591
Log in as the local administrator, open the Computer Management and view the Administrators Group in Local Users and Groups. Verify that the group is listed in there as Domainname\Groupname, should be this way in the policy as well. Is it possible that you put in the name without the domain name, thereby creating a local group with no members?

J
0
 

Author Comment

by:halfondj
ID: 12006497
To jdeclue:  Once again I want to thank you for your replies.  By doing what you recommended in your previous post, it showed me what my problem was.  I omitted a group from the 'Restricted Groups' that contained the userid that I was logging onto the PC with.  Having made this mistake, I am continuing to get a better idea to how Restricted Groups work.

Since oBdA informed me of the switches for the GPRESULT application, which also assisted in finding my problem, I would like to increase the points and split them.

Thanks.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12006567
Thank you sir... glad to help ;)

J
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question