|
Posted by mike.hubenschmidt on April 27, 2006, 7:27 am
Please log in for more thread options
We just finished assisting microsoft with an issue that I feel needs to
be put out there due to lack of information on the topic. Even though
its a unique scenario. In a nutshell here is the problem.
All of our windows 2000 workstations in our enterprise lost their
ability to have the local system accounts (interactive, network
services, and system) from manipulating certain services. This stopped
us from installing programs or making changes to the system that
require these permissions. The main one being the latest version of
SMS 2003 SP2 client. It would not finish the unattended install due to
a permissions error on the 2000 workstations.
We did originally have a domain level policy that removed everyone's
rights to stop, or change the BITS, Automatic Updates, Netlogon, and
SMS host services. But knowing that this existed, we disabled it by
using several means, starting with unchecking the services inside the
policy and ending with deleting the policy from the Domain completely.
We forced the updates on the workstations with enforce, made many
reboots, etc etc etc. To no avail we were still having problems. I
then thought hmm, a possible dare I say "anomaly?". I created a brand
new policy and reconfigured the affected "services" and manually added
all the permissions back. BOOM, all was well.
SO here is the bottom line if you remove or modify the permissions via
a 2003 group policy, push it out to all your clients, and then disable
said policy, the ACL's/Perms for the services stay and do not get
reverted back to their defaults until a new one is pushed. As you can
see, this could potentially be VERY detrimental in an enterprise and
extremely difficult to diagnose. Microsoft is testing it now to
recreate the issue for a specific resolution path.
Enjoy.
|
|
Posted by Deephazz on April 27, 2006, 5:33 pm
Please log in for more thread options
Thx for sharing this information!
It might be helpfull.
|
| Similar Threads | Posted | | Need Help Assigning Permissions to Services in Group Policy | March 12, 2008, 7:24 pm |
| Windows Server 2003 - Services Permissions Issue | August 29, 2005, 1:28 pm |
| local group / global group permissions problem | August 18, 2005, 12:42 pm |
| server 2000 Group policy for windows xp clients | January 18, 2006, 9:59 pm |
| Help setting Windows permissions (policy?) | April 26, 2006, 1:06 pm |
| Services in windows 2003 | July 2, 2006, 8:26 am |
| Windows 2003 pass-through authentication and services | September 12, 2005, 9:33 pm |
| Windows Server 2003 Ent. Certificate Services Webenroll | October 18, 2005, 12:48 pm |
| Windows 2003 services don't have access to mapped drives | July 17, 2007, 8:45 pm |
| windows 2003 com+/ sql connenction problem | January 24, 2007, 12:28 pm |
|
XML Sitemap