Question about group policy/security policy registry settings

G

Guest

Hello, I have a small network. The domain controller running active directory
is a Windows 2000 server, and i have a Windows 2003 terminal server.

On the Windows 2000 active directory and users, I applied a group/security
policy
that, among many other things, said "deny user jimmy from making changes
to the hklm registry key." This was the default policy for the domain, so i
assume its applying to every OU (terminal server itself, users). I set the
refresh rate to 5 minutes, and waited a little over that time.

I logged into the terminal server, tried changing values and adding keys in
hklm, and as i expected, i couldnt succeed. I figured this was to do with
the settings applied to the default domain policy. Howver,

On the windows 2003 terminal server, i went into the
systemroot/system32/config
directory, and set inhertable permissions so that the jimmy user has full
access there.

Now, as i load regedit when logged into the terminal server, i have full
access to all keys, even the hklm key i specified as read-only in the default
domain policy!

If i were to have kept the system32/config read only to jimmy, and had
specified in the default domain policy to allow writing by jimmy to hklm, it
would have been denied. It seems as though changing security settings for
domain computer registries is not applied, or i am doing something wrong.

Anyone know? What is this setting in the group policy/security policy for?
It does nothing for me!
 
R

Roger Abell [MVP]

Perhaps you need to do a little reading such as is available via
www.microsoft.com/gp

Jimmy should have had no permissions to write to HKLM anyway
if the account was not an admin, and if it is an admin it should have
that capability. In general, you can get into some real hot water by
trying to second guess the default permissions in the registry of a
W2k3 or XP machine, and even more easily or rather even hotter
water if doing so by group policy instead of a reg edit.

The group policy applied, perhaps changing nothing or adding the
deny. We really do not know from what you have said.
You would need to be more specific about the nature of the Jimmy
account and precisely what was applied with policy. Notice that the
policy you used would have been a Computer policy, so it would
apply to the machines of the domain, not to the users.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

local security policy does not get applied 2
Group Policy for Terminal Server not working 2
Incorrect GPResult result 3
Policy per server 1
Assiging Group Policy to 1 GROPUP 8
Default Domain Policy 2003 7
group policy and terminal services 2
group policy "User Settings" ignored 4

Top