G
Guest
Hello, I have a small network. The domain controller running active directory
is a Windows 2000 server, and i have a Windows 2003 terminal server.
On the Windows 2000 active directory and users, I applied a group/security
policy
that, among many other things, said "deny user jimmy from making changes
to the hklm registry key." This was the default policy for the domain, so i
assume its applying to every OU (terminal server itself, users). I set the
refresh rate to 5 minutes, and waited a little over that time.
I logged into the terminal server, tried changing values and adding keys in
hklm, and as i expected, i couldnt succeed. I figured this was to do with
the settings applied to the default domain policy. Howver,
On the windows 2003 terminal server, i went into the
systemroot/system32/config
directory, and set inhertable permissions so that the jimmy user has full
access there.
Now, as i load regedit when logged into the terminal server, i have full
access to all keys, even the hklm key i specified as read-only in the default
domain policy!
If i were to have kept the system32/config read only to jimmy, and had
specified in the default domain policy to allow writing by jimmy to hklm, it
would have been denied. It seems as though changing security settings for
domain computer registries is not applied, or i am doing something wrong.
Anyone know? What is this setting in the group policy/security policy for?
It does nothing for me!
is a Windows 2000 server, and i have a Windows 2003 terminal server.
On the Windows 2000 active directory and users, I applied a group/security
policy
that, among many other things, said "deny user jimmy from making changes
to the hklm registry key." This was the default policy for the domain, so i
assume its applying to every OU (terminal server itself, users). I set the
refresh rate to 5 minutes, and waited a little over that time.
I logged into the terminal server, tried changing values and adding keys in
hklm, and as i expected, i couldnt succeed. I figured this was to do with
the settings applied to the default domain policy. Howver,
On the windows 2003 terminal server, i went into the
systemroot/system32/config
directory, and set inhertable permissions so that the jimmy user has full
access there.
Now, as i load regedit when logged into the terminal server, i have full
access to all keys, even the hklm key i specified as read-only in the default
domain policy!
If i were to have kept the system32/config read only to jimmy, and had
specified in the default domain policy to allow writing by jimmy to hklm, it
would have been denied. It seems as though changing security settings for
domain computer registries is not applied, or i am doing something wrong.
Anyone know? What is this setting in the group policy/security policy for?
It does nothing for me!