[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Group Policy - RSOP Logging - Registry permissions

Posted on 2009-02-15
Medium Priority
Last Modified: 2012-08-14
I have a Windows Server 2003 domain and I created a group policy "Test" and I applied at the domain level.  I made a change under Computer Configuration\Windows Settings\Security Settings\Registry.  I added the key "MACHINE\Software\Microsoft\Windows NT\Current Version\Svchost".  

I changed the security permissions on this key to be
Administrators -- Read
Users -- Read

I selected the setting to "Configure this key, then replace existing permissions on all subkeys with inheritable permissions".  

The group policy seems to have been pushed out to all of the computers in the domain.  

I ran the Resultant set of Policy (Logging) on a few of the computers in the domain and it looks to be receiving the policy.  I checked under the Precedence tab and it shows the correct group policy.  However, when I check the permissions for that registry key by going to Properties, Security Policy setting, View Security  it shows "Everyone" Full control.  It should be Read only.

Question by:Florescu

Expert Comment

ID: 23647465
hmm... hat happens if you run rsop.msc on the system in question? what does that show? you can also run gpresult /v for verbose.

I would be curious to see what is really/actually being applied to any of the machines.

Try this check on the server itself then on a few client machnes, i am just curious, are any policies
set to block inhertance?

"MACHINE\Software\Microsoft\Windows NT\Current Version\Svchost".  << That may not be the best way to test, why did you choose that key?


Accepted Solution

Florescu earned 0 total points
ID: 23673130
I got an answer from a few other Microsoft posts:

This is  known issue with RSOP.  The policies are applied correctly but the RSOP is actually showing the permissions for the policy, not for the registry key itself.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question