|
Posted by Will on March 12, 2008, 7:24 pm
Please log in for more thread options
I am for the first time trying to use group policy to enforce starting
services on particular computers. My first use case was the Windows
Firewall service. I set group policy to start this service automatically
in our domain on all computers. Okay, I screwed this one up but good.
Apparently the group policy not only changes the default start setting of
the service, but also changes the security ACL on the service!! And,
apparently, the default ACL in Microsoft group policy is NOT compatible with
at least some of our computers. Starting Windows Firewall service on the
affected computers fails with a
0x80004015 the class is configured to run as a security id different
from the caller
The default ACL for group policy apparently gives Full Control to
Administrators and SYSTEM, and Read access to INTERACTIVE. Conspicuously
missing from this list is the Authenticated Users entity, which I believe is
how Local Service and Network Service reserved user accounts get access to
services.
Knowledge base 892199 discusses this issue, but the knowledge base is quite
dense and I find the security descriptor representations they are using to
be just borderline understandable by a human being who is not daily immersed
in that obscure syntax.
Using group policy, what ACL should I set for a service that I want to have
enforced as Automatic on Windows XP and Windows 2003? I don't want to
twiddle with the security descriptors on individual computers, but want to
fix the ACL using the ACL GUI in group policy. I need an ACL that is
compatible with starting the service by Network Service or Local Service
user accounts.
--
Will
| 
XML Sitemap