Group Policy - RSOP Logging - Registry permissions

Posted on 2009-02-15
Last Modified: 2012-08-14
I have a Windows Server 2003 domain and I created a group policy "Test" and I applied at the domain level.  I made a change under Computer Configuration\Windows Settings\Security Settings\Registry.  I added the key "MACHINE\Software\Microsoft\Windows NT\Current Version\Svchost".  

I changed the security permissions on this key to be
Administrators -- Read
Users -- Read

I selected the setting to "Configure this key, then replace existing permissions on all subkeys with inheritable permissions".  

The group policy seems to have been pushed out to all of the computers in the domain.  

I ran the Resultant set of Policy (Logging) on a few of the computers in the domain and it looks to be receiving the policy.  I checked under the Precedence tab and it shows the correct group policy.  However, when I check the permissions for that registry key by going to Properties, Security Policy setting, View Security  it shows "Everyone" Full control.  It should be Read only.

Question by:Florescu
    LVL 6

    Expert Comment

    hmm... hat happens if you run rsop.msc on the system in question? what does that show? you can also run gpresult /v for verbose.

    I would be curious to see what is really/actually being applied to any of the machines.

    Try this check on the server itself then on a few client machnes, i am just curious, are any policies
    set to block inhertance?

    "MACHINE\Software\Microsoft\Windows NT\Current Version\Svchost".  << That may not be the best way to test, why did you choose that key?


    Accepted Solution

    I got an answer from a few other Microsoft posts:

    This is  known issue with RSOP.  The policies are applied correctly but the RSOP is actually showing the permissions for the policy, not for the registry key itself.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now