We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Group Policy - RSOP Logging - Registry permissions

Medium Priority
965 Views
Last Modified: 2012-08-14
I have a Windows Server 2003 domain and I created a group policy "Test" and I applied at the domain level.  I made a change under Computer Configuration\Windows Settings\Security Settings\Registry.  I added the key "MACHINE\Software\Microsoft\Windows NT\Current Version\Svchost".  

I changed the security permissions on this key to be
Administrators -- Read
Users -- Read

I selected the setting to "Configure this key, then replace existing permissions on all subkeys with inheritable permissions".  

The group policy seems to have been pushed out to all of the computers in the domain.  

I ran the Resultant set of Policy (Logging) on a few of the computers in the domain and it looks to be receiving the policy.  I checked under the Precedence tab and it shows the correct group policy.  However, when I check the permissions for that registry key by going to Properties, Security Policy setting, View Security  it shows "Everyone" Full control.  It should be Read only.

Comment
Watch Question

hmm... hat happens if you run rsop.msc on the system in question? what does that show? you can also run gpresult /v for verbose.

I would be curious to see what is really/actually being applied to any of the machines.

Try this check on the server itself then on a few client machnes, i am just curious, are any policies
set to block inhertance?

"MACHINE\Software\Microsoft\Windows NT\Current Version\Svchost".  << That may not be the best way to test, why did you choose that key?

Robert
Commented:
I got an answer from a few other Microsoft posts:

This is  known issue with RSOP.  The policies are applied correctly but the RSOP is actually showing the permissions for the policy, not for the registry key itself.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.