No announcement yet.

GPO's (or something else?) affecting registry permissions

  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO's (or something else?) affecting registry permissions


    First off, my apologies for the long-winded question.

    I'm having a really weird problem with registry permissions on workstations in my domain. I have a feeling it's a problem with the GPO's (or something) in my domain, but I'm not sure what or how to troubleshoot.

    When joining a new workstation to the domain, a number of the registry keys on that workstation loose permissions and cannot be accessed via regedit (even under the local or domain administrator accounts, as if there was a deny permission set somewhere)

    In particular it's the HKCR\Interface and HKLM\SOFTWARE\Classes keys (and I think there are some others too). I cannot view many of the sub-keys (access denied), and I cannot reset the permissions on the sub-keys directly. I have to replace the ownership on the parent key and then reset permissions on the parent and select the "replace all entries" option.

    Then even after I replace the parent permissions (which warns me it could not reset permissions all sub-keys), I have to follow these same "replace ownership and reset permissions" steps on the individual sub-keys (which I'm only able to do after performing those steps on the parent first)

    Often times I notice that when I open the permissions for the parent (or one of the sub-key), it has no entries in the permissions list. Then ask soon as I add "everyone", it populates the list with all of the inherited permissions.

    This registry trouble happens with brand new installations of XP Pro SP2, only installing Office 2000 and a few utilities and applications before joining the domain.

    It is a Windows 2000 domain, upgraded from NT4, with XP/2003 domain extension added.

    I have a SUS server for Windows Updates, but I haven't yet figured out if the permissions problems appear before or after SUS installs the 90-some-odd updates.

    I am using a few GPO's assigned for some standard things (software installation, reistricting access to change settings, mapping drives, etc), but nothing special. I've checked through all the GPO's and cannot figure out why it would be denying/removing permissions on the workstations. I do not have anything under the Computer\Windows\Security\Registry section in any of the GPO's.

    Any ideas how I can troubleshoot this would be appreciated.


  • #2
    Re: GPO's (or something else?) affecting registry permissions

    On the ffected client XP computer, run "rsop.msc" to get the GPO settings that are applied from domain GPOs.
    Are you using the same image for the computers that are effected ?
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"