Solved

Active Directory: Registry Setting configuration question

Posted on 2004-09-07
6
140 Views
Last Modified: 2010-04-14
As recommended in a previous post that I made - http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21119617.html, I disabled the user policy in an OU GPO [ABC-Local-Computers-OU].

Now that I did that, when I execute GPRESULT on a PC that is in the ABC-Local-Computers-OU, I see that the computer received "Registry" settings from the Default Domain Policy.

When I'm logged onto the same PC as a local Admin, configured by the restricted groups policy, and try to install an application, I received a message that the registry couldn't be written to.  The same application installs properly when I log on as 'Administrator', which is also configured by the restricted groups policy.

Question: Am I configuring the GPOs incorrectly?

I've included my OU structure below, as well as the GPRESULT output.

Please advise.

Thanks!

Here's the structure to my GPOs/OUs, etc.

ABC.COM - domain  - default domain policy (only policy used) - small company; allows users to changed date/time in GPO
   ABC-Local-Computers-OU [restricted groups policy set, as well as allowing the date/time change]
      Computer-1  [all computers that need to have local admin rights]
      Computer-2
            :
   ABC-Department-OU
        ABC-Local-Admin-Grp [members consist of some accounting users, etc. and the test user]
        ABC-Accounting-OU
             ABC-Acct-Grp [members consist of accounting users]
                 acct_user
        ABC-Credit-OU
             ABC-Credit-Grp
                  credit_user
                   :
        ABC-Test-OU  - for testing purposes, I created a GPO with only the restricted groups policy set
             ABC-Test-Grp [only member is test_user]
                  test_user

  Computers [the container that's setup when AD is installed]
     All other domain computers are here including servers


Here's the computer group policy printed from GPRESULT:

###############################################################

  Computer Group Policy results for:

  CN=OP-02,OU=ABC-Local-Admin-Computers,DC=ABC-OPS,DC=com

  Domain Name:          ABC-OPS
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

        BUILTIN\Administrators
        \Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        ABC-OPS\OP-02$
        ABC-OPS\Domain Computers

###############################################################

Last time Group Policy was applied: Tuesday, September 07, 2004 at 7:03:58 AM
Group Policy was applied from: ad-srvr.ABC-OPS.COM


===============================================================


The computer received "Registry" settings from these GPOs:

        Local Group Policy
        Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
        ABC-Local-Admin-Computers Group Policy Object


===============================================================
The computer received "EFS recovery" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
0
Comment
Question by:halfondj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 9

Expert Comment

by:jdeclue
ID: 11996895
When you say log on as a local admin, do you mean, as a user in the group added through the restricted policy?

J
0
 
LVL 84

Assisted Solution

by:oBdA
oBdA earned 250 total points
ID: 11998454
You can run gpresult with the switches /v (verbose) or even /s (super verbose), which sould tell you a bit more about which settings are applied.
Does that yield anything useful?
0
 

Author Comment

by:halfondj
ID: 12000880
To jdeclue: Yes.  Exactly like you advised me to do in my past postings you answered :).

To oBdA: Thanks for the suggestion.  I will have to try it and let you know the results.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 9

Accepted Solution

by:
jdeclue earned 250 total points
ID: 12005591
Log in as the local administrator, open the Computer Management and view the Administrators Group in Local Users and Groups. Verify that the group is listed in there as Domainname\Groupname, should be this way in the policy as well. Is it possible that you put in the name without the domain name, thereby creating a local group with no members?

J
0
 

Author Comment

by:halfondj
ID: 12006497
To jdeclue:  Once again I want to thank you for your replies.  By doing what you recommended in your previous post, it showed me what my problem was.  I omitted a group from the 'Restricted Groups' that contained the userid that I was logging onto the PC with.  Having made this mistake, I am continuing to get a better idea to how Restricted Groups work.

Since oBdA informed me of the switches for the GPRESULT application, which also assisted in finding my problem, I would like to increase the points and split them.

Thanks.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12006567
Thank you sir... glad to help ;)

J
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Win 2000 Pro - RDP Connection 2008 R2 Terminal Service 4 542
Windows Foriegn Disk 3 141
Repair old Windows 2000 boot 15 243
Windows 2000 48-bit LBA 13 52
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article was originally published on Monitis Blog, you can check it  here . If you have responsibility for software in production, I bet you’d like to know more about it. I don’t mean that you’d like an extra peek into the bowels of the sour…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question