Re: Save me from my stupidity

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/29/04

• Next message: PA Bear: "Re: Security threat - Unable to update Windows XP"
• Previous message: net: "Re: hotmail"
• In reply to: stefanT: "Re: Save me from my stupidity"
• Next in thread: stefanT: "Re: Save me from my stupidity"
• Reply: stefanT: "Re: Save me from my stupidity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 28 Dec 2004 17:22:37 -0700

Windows 2000 and earlier did not set NTFS permissions on
directories that were from upgrade installs, or converted to
NTFS from FAT.
The registry part of what you were saying is behind the scenes.
What is important is the the system32\GroupPolicy folder is
not readable by the account logging in so that policy will not
be applied to it. I have never had someone not have this work
for them when in your situation, at least as I hear your description
of the situation. 100% success until now. So, are you sure that
the Deny of full control for administrators was saved, and perhaps
check that it propagated onto the contents of the folder.
The "normal" permissions for the folder in Windows 2000 (server)
are grants of Administrators Full ; SYSTEM Full; and Authenticated
Users Read&Execute (and so List+Read)

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"stefanT" <stefanT@discussions.microsoft.com> wrote in message
news:C9ADAD1D-1D45-4565-9BBE-C79F4E029C6F@microsoft.com...
> OK. take #2
>
> I find I can access via the network after all. So I navigate to
> sysroot/sys32/GroupPolicy and set Deny on full for Administrators. I've
not
> logged in locally yet so I give it a try.  No joy.  I reboot the machine
and
> try again - still no joy.  Same logon message - 'local policy does not
permit
> interactive logon'.  Any thoughts?
>
> What should the permissions be on this directory?  Mine show
> Admins    : allow unset ; deny unset
> System    : allow unset ; deny unset
> Everyone : allow full     ; deny unset
>
> The machine I'm working on was upgraded from W98 and the partition
converted
> to NTFS afterwards.  I've got another W2k-Pro machine which had a Fat32
> sysroot partition.  I've just converted that to NTFS and that shows the
same
> permissions as well.  Somehow, though, it doesn't feel quite right to have
> full permissions for Everyone and no permissions for Admins or System.
>
> StefanT
>
> "stefanT" wrote:
>
> > Well and truly - grabbed by the short and curlys.
> snip....
> >
> > StefanT
> >
> > "Roger Abell" wrote:
> >
> > > Hmmm,  got bitten a little by that one ?  At least we can get
> > > you out of it, and it is likely one of the worst, for a machine
> > > that is not a domain controller, that one can accident upon
> > > while tightening a machine.  Just remember that deny always
> > > overrules a grant, and the Users, Authenticated Users, Everyone,
> > > Network, and Interactive have wide impacts.
> > >
> > > OK, so you need, as an admin, to locate your folder permissions
> > > at system32\GroupPolicy and there set a Deny of full for the
> > > Administrators group.  Then, log off and back on, remove the
> > > Deny you just set, and then immediately edit the local security
> > > policies to remove the problem setting.
> > > At a cmd prompt force refresh of policy (at prompt enter secedit
> > > and go to the How to . . . refresh ), then log off and back in to see
> > > if you are now set to go.
> > >
> > > -- 
> > > Roger Abell
> > > Microsoft MVP (Windows  Security)
> > > MCSE (W2k3,W2k,Nt4)  MCDBA
> > > "stefanT" <stefanT@discussions.microsoft.com> wrote in message
> > > news:C3BF937E-61C3-4DE7-9930-F7E6449BF071@microsoft.com...
> > > > After being given "Hardening Windows Systems" for Christmas I
decided to
> > > play
> > > > about with the local policy settings on my networked W2k Pro
machine.
> snip...
> > > > StefanT
> > >
> > >
> > >

---

• Next message: PA Bear: "Re: Security threat - Unable to update Windows XP"
• Previous message: net: "Re: hotmail"
• In reply to: stefanT: "Re: Save me from my stupidity"
• Next in thread: stefanT: "Re: Save me from my stupidity"
• Reply: stefanT: "Re: Save me from my stupidity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Assigning User Policy ... in that already applied policies were exempted after ntfs deny permissions ... > have already been configured will still be applied even after setting NTFS ... > permissions to deny read access to the group you are trying to exclude. ... (microsoft.public.win2000.security) Re: Share Permissions: Deny behaviour ... Deny overrides all other permissions. ... There are two types of Deny (again goes for share and NTFS). ... explicit allow permission, then you're stuck with implicit deny. ... (microsoft.public.windows.server.general) Re: Share Permissions: Deny behaviour ... Deny overrides all other permissions. ... There are two types of Deny (again goes for share and NTFS). ... explicit allow permission, then you're stuck with implicit deny. ... (microsoft.public.windows.server.general) Re: Deny Server Access but Allow Printer and Internet ... and do your best to AVOID having to DENY access. ... Some of the permissions I have described above (NTFS in particular) ... If you want permissions to keep a kiosk user with direct logon ... (microsoft.public.windows.server.active_directory) Re: Save me from my stupidity ... sysroot/sys32/GroupPolicy and set Deny on full for Administrators. ... What should the permissions be on this directory? ... Admins: allow unset; deny unset ... (microsoft.public.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)