GPO enforcing Registry Security doesn't apply properly

Discussion in 'Active Directory' started by Michel Lapointe, Apr 13, 2004.

  1. Hello,

    Is there a way to set the Registry security by using a Computer GPO, if
    the SYSTEM account doesn't have access to this Registry Key?

    The reason is that some user have play with the Registry and remove the
    SYSTEM account on the security tab, therefore those key cannot be update by
    the GPO anymore.

    Any idea?

    Thank

    ML
     
    Michel Lapointe, Apr 13, 2004
    #1
    1. Advertisements

  2. Sure, just go under Computer Configuration|Windows Settings|Security
    Settings, under there you will see Registry permissions. Add in he correct
    Registry keys you want to secure and you are done!
     
    Derek Melber [MVP], Apr 13, 2004
    #2
    1. Advertisements

  3. That what I've done... And in the winlogon.log it says access denied.

    It can't overwrite the current permission since SYSTEM have no right on this
    key

    Thank

    ML
     
    Michel Lapointe, Apr 13, 2004
    #3
  4. what key are you trying to control?
     
    Derek Melber [MVP], Apr 13, 2004
    #4
  5. HKLM\system\currentcontrolset\control\securepipeservers\winreg
     
    Michel Lapointe, Apr 14, 2004
    #5
  6. Be sure to look at the ACL on that reg key. It might be locked down, to
    reduce access remotely.
     
    Derek Melber [MVP], Apr 14, 2004
    #6
  7. I know... that's the problem and I want to change the ACL using the GPO, but
    the GPO doesn't have access to this key.

    Is there a way to have GPO execute with all right?

    ML
     
    Michel Lapointe, Apr 19, 2004
    #7
  8. GPOs execute with system privilege. Maybe the system or administrator has
    been explicitly DENY'd access to this key?
     
    Derek Melber [MVP], Apr 19, 2004
    #8
  9. Have not be denied, but SYSTEM have no access.

    So unless there is an override there is no way to reset the permission on
    the key

    Thank

    ML
     
    Michel Lapointe, Apr 19, 2004
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.